Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 21 Apr 2001 18:41:00 +0100
From:      Lee Smallbone <lee@kechara.net>
To:        Peter Pentchev <roam@orbitel.bg>
Cc:        freebsd-security@freebsd.org
Subject:   Re: ipfw problem
Message-ID:  <200104211753.SAA32096@mailgate.kechara.net>
next in thread | raw e-mail | index | archive | help 
I know that some of the 'hardware' firewall boxes (such as SonicWALL) support IP ranges, but
I've yet to find a software solution. 

 

21/04/2001 23:30:01, Peter Pentchev <roam@orbitel.bg> wrote:

>On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote:
>> Hi Peter,
>> 
>>  Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow
>>  ranges?? If the author listening...)
>> 
>>  I thought I had it for one minute, where I found that ${ip} isn't defined until later on
>>  in the script. No such luck. 
>
>Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined
>until later?  If so, has that solved your problem?

 No, it didn't solve the problem. :) I was saying I thought it *might* have, but it was 
 only another error, which occured after the range was specified, thus ipfw didn't
 ever get to that error. 

>And about the ranges - ipfw(8) is only a controlling interface to the kernel
>ipfw routines.  It would be *much* harder for the kernel to compare every
>packet's address against a range than it is to compare it against a netmask -
>the latter only involves a bitwise AND operator.  I wonder if ranges would
>be so hard to implement though; the fact is, they are not implemented at
>the moment, this would take some work, and actually, I'm not aware of any
>other firewalling system that implements ranges.  I would be VERY much out
>of my bailiwick here, though, because I've not dealt with that many other
>firewalling systems, but still, I think ranges are somewhat unusual in
>firewall rules :)
>
>G'luck,
>Peter
>
>-- 
>I had to translate this sentence into English because I could not read the original Sanskrit.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>

--

Lee Smallbone
Kechara Internet

lee@kechara.net
www.kechara.net 

Tel: (01243) 869 969
Fax: (01243) 866 685



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104211753.SAA32096>