From owner-freebsd-security Sat Apr 21 9:38:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 7897637B423 for ; Sat, 21 Apr 2001 09:38:17 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA32096; Sat, 21 Apr 2001 18:53:03 +0100 Message-Id: <200104211753.SAA32096@mailgate.kechara.net> Date: Sat, 21 Apr 2001 18:41:00 +0100 To: Peter Pentchev Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that some of the 'hardware' firewall boxes (such as SonicWALL) support IP ranges, but I've yet to find a software solution. 21/04/2001 23:30:01, Peter Pentchev wrote: >On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> Hi Peter, >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> ranges?? If the author listening...) >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> in the script. No such luck. > >Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined >until later? If so, has that solved your problem? No, it didn't solve the problem. :) I was saying I thought it *might* have, but it was only another error, which occured after the range was specified, thus ipfw didn't ever get to that error. >And about the ranges - ipfw(8) is only a controlling interface to the kernel >ipfw routines. It would be *much* harder for the kernel to compare every >packet's address against a range than it is to compare it against a netmask - >the latter only involves a bitwise AND operator. I wonder if ranges would >be so hard to implement though; the fact is, they are not implemented at >the moment, this would take some work, and actually, I'm not aware of any >other firewalling system that implements ranges. I would be VERY much out >of my bailiwick here, though, because I've not dealt with that many other >firewalling systems, but still, I think ranges are somewhat unusual in >firewall rules :) > >G'luck, >Peter > >-- >I had to translate this sentence into English because I could not read the original Sanskrit. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message