From owner-freebsd-security Sat Apr 21 22: 1:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id C91DC37B648 for ; Sat, 21 Apr 2001 22:01:08 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id NAA45393 for ; Sun, 22 Apr 2001 13:03:38 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sun, 22 Apr 2001 13:04:14 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Reply-To: Igor Podlesny Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <68144568768.20010422130414@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: ipfw problem X-Sender: Igor Podlesny MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PP> On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> Hi Peter, >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> ranges?? If the author listening...) >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> in the script. No such luck. PP> Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined PP> until later? If so, has that solved your problem? PP> And about the ranges - ipfw(8) is only a controlling interface to the kernel PP> ipfw routines. sure PP> It would be *much* harder for the kernel to compare every PP> packet's address against a range than it is to compare it against a netmask - PP> the latter only involves a bitwise AND operator. I rather dont agree with that statement, but consider, we should decide what *MUCH* is at any case :) And pay your attention, plz -- it does check port ranges absolutely easy.. I don't see any big difference between ports and IP-addresses. They both are represented as usual (not too big) numbers at last. PP> I wonder if ranges would PP> be so hard to implement though; the fact is, they are not implemented at PP> the moment, this would take some work, and actually, I'm not aware of any PP> other firewalling system that implements ranges. I would be VERY much out PP> of my bailiwick here, though, because I've not dealt with that many other PP> firewalling systems, but still, I think ranges are somewhat unusual in PP> firewall rules :) PP> G'luck, PP> Peter -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message