Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 May 2002 15:51:42 +0100
From:      Daniel Bye <dan@slightlystrange.org>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw range filter?
Message-ID:  <20020528145142.GE27216@icarus.slightlystrange.org>
In-Reply-To: <001801c20654$84415990$b50d030a@PATRICK>
References:  <20020528140608.56609.qmail@web14801.mail.yahoo.com> <001801c20654$84415990$b50d030a@PATRICK>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, May 28, 2002 at 04:32:36PM +0200, Patrick O'Reilly wrote:
> ----- Original Message -----
> From: "Chris Appleton" <appleton_chris@yahoo.com>
> >
> > that makes perfect sense but here's the catch.  i'm using the full c
> > subnet, meaning all nodes are configured as 1.2.3.0/24 255.255.255.0.
> >
> > what i'd like to do is segment/target say .230 - .254 (i know the #'s
> > don't add) out of the full class c i'm using.  only do it at bsd, not
> > go around creating proper 'sub' subnets (lazy i guess).
> >
> > isolate a block/segment of the whole subnet which i'm configured to
> use
> > in a bsd rule.
> 
> You can create a rule like this:
> 
> ipfw add 123 allow tcp from any to 1.2.3.240/28 25 setup
> 
> Even though your subnet is a /24, this rule will work to single out the
> range of addresses from 1.2.3.240 through 1.2.3.255 .  So, if you can
> set up blocks which match the way IP subnet normally work, you can do
> it.  I don't know of a way to list an arbitrary range of IPs in one ipfw
> rule.
> 
> I guess what you want is something like this:
> 
> ipfw add 123 allow tcp from any to 1.2.3.230-1.2.3.254 25 setup
> 
> But the ipfw syntax does not support such a construct (AFAIK).

If you're using 4.5, though, you can use a preprocessor to parse add-
itional config files, such as lists of IP addresses etc.  It's not a
feature I have yet needed to use, though, so can't offer any practical
assistance or advice.  I guess the external files's syntax will be 
informed by the preprocessor you choose.

There is a little more about it in man 8 ipfw

Dan

-- 
Daniel Bye

PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc
PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020528145142.GE27216>