From owner-freebsd-questions  Tue Oct  5 12:25:51 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.rdc2.on.home.com (ha1.rdc2.on.home.com [24.9.0.15])
	by hub.freebsd.org (Postfix) with ESMTP id E26CE14E5C
	for <questions@FreeBSD.ORG>; Tue,  5 Oct 1999 12:25:48 -0700 (PDT)
	(envelope-from street@iname.com)
Received: from mired.eh.local ([24.64.136.188]) by mail.rdc2.on.home.com
          (InterMail v4.01.01.07 201-229-111-110) with ESMTP
          id <19991005192451.FULY5795.mail.rdc2.on.home.com@mired.eh.local>;
          Tue, 5 Oct 1999 12:24:51 -0700
Received: (from kws@localhost)
	by mired.eh.local (8.9.3/8.9.3) id NAA38226;
	Tue, 5 Oct 1999 13:45:31 -0400 (EDT)
	(envelope-from kws)
To: Ruslan Ermilov <ru@ucb.crimea.ua>
Cc: Jenkins.Mike@epamail.epa.gov, questions@FreeBSD.ORG
Subject: Re: ipfw and ports > 1023?
References: <85256801.0051E276.00@EPAHUB2.RTP.EPA.GOV> <19991005190127.D8085@relay.ucb.crimea.ua>
From: Kevin Street <street@iname.com>
Date: 05 Oct 1999 13:45:30 -0400
In-Reply-To: Ruslan Ermilov's message of "Tue, 5 Oct 1999 19:01:27 +0300"
Message-ID: <874sg51z2d.fsf@mired.eh.local>
Lines: 38
X-Mailer: Gnus v5.6.45/XEmacs 21.1 - "20 Minutes to Nikko"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Ruslan Ermilov <ru@ucb.crimea.ua> writes:

> On Tue, Oct 05, 1999 at 09:59:33AM -0500, Jenkins.Mike@epamail.epa.gov wrote:
> > How do you say "ports > 1023" in ipfw?
> > I see the port-port syntax but that is for a limited range of ports.
> > 
> ipfw(8) manpage, in particular, says:
> 
> : With the TCP and UDP protocols, optional ports may be specified as:
> : 
> :     {port|port-port}[,port[,...]]
> : 
> : Service names (from /etc/services) may be used instead of numeric port
> : values.  A range may only be specified as the first value, and the length
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> : of the port list is limited to IP_FW_MAX_PORTS (as defined in
> : /usr/src/sys/netinet/ip_fw.h) ports.  A `\' can be used to escape the `-'
> : character in a service name:
> 
> So, we say "1024-".

Well, yes that works, but that is not what the description you quoted
means.  "A range may only be specified as the first value" means
"if you specify a range it must be the first value in the list".  So
you can not do:
	ipfw add 1 deny udp from any 300,1024-1500 to any
but you can do:
	ipfw add 1 deny udp from any 1024-1500,300 to any

You can not have multiple ranges in the same ipfw statement either.

The "1024-" notation works (at least in current) but is undocumented.
The syntax should really be:
     {port|port-port|port-}[,port[,...]]

-- 
Kevin Street
street@iname.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message