Skip site navigation (1)Skip section navigation (2) 
Date:      05 Oct 1999 13:45:30 -0400
From:      Kevin Street <street@iname.com>
To:        Ruslan Ermilov <ru@ucb.crimea.ua>
Cc:        Jenkins.Mike@epamail.epa.gov, questions@FreeBSD.ORG
Subject:   Re: ipfw and ports > 1023?
Message-ID:  <874sg51z2d.fsf@mired.eh.local>
In-Reply-To: Ruslan Ermilov's message of "Tue, 5 Oct 1999 19:01:27 %2B0300"
References:  <85256801.0051E276.00@EPAHUB2.RTP.EPA.GOV> <19991005190127.D8085@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ruslan Ermilov <ru@ucb.crimea.ua> writes:

> On Tue, Oct 05, 1999 at 09:59:33AM -0500, Jenkins.Mike@epamail.epa.gov wrote:
> > How do you say "ports > 1023" in ipfw?
> > I see the port-port syntax but that is for a limited range of ports.
> > 
> ipfw(8) manpage, in particular, says:
> 
> : With the TCP and UDP protocols, optional ports may be specified as:
> : 
> :     {port|port-port}[,port[,...]]
> : 
> : Service names (from /etc/services) may be used instead of numeric port
> : values.  A range may only be specified as the first value, and the length
>            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> : of the port list is limited to IP_FW_MAX_PORTS (as defined in
> : /usr/src/sys/netinet/ip_fw.h) ports.  A `\' can be used to escape the `-'
> : character in a service name:
> 
> So, we say "1024-".

Well, yes that works, but that is not what the description you quoted
means.  "A range may only be specified as the first value" means
"if you specify a range it must be the first value in the list".  So
you can not do:
	ipfw add 1 deny udp from any 300,1024-1500 to any
but you can do:
	ipfw add 1 deny udp from any 1024-1500,300 to any

You can not have multiple ranges in the same ipfw statement either.

The "1024-" notation works (at least in current) but is undocumented.
The syntax should really be:
     {port|port-port|port-}[,port[,...]]

-- 
Kevin Street
street@iname.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?874sg51z2d.fsf>