From owner-freebsd-questions  Tue Oct  5 14:25:46 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101])
	by hub.freebsd.org (Postfix) with ESMTP id 6220215664
	for <questions@FreeBSD.ORG>; Tue,  5 Oct 1999 14:25:29 -0700 (PDT)
	(envelope-from dan@dan.emsphone.com)
Received: (from dan@localhost)
	by dan.emsphone.com (8.9.3/8.9.3) id QAA99801;
	Tue, 5 Oct 1999 16:15:23 -0500 (CDT)
	(envelope-from dan)
Date: Tue, 5 Oct 1999 16:15:22 -0500
From: Dan Nelson <dnelson@emsphone.com>
To: Jenkins.Mike@epamail.epa.gov
Cc: ru@ucb.crimea.ua, questions@FreeBSD.ORG
Subject: Re: ipfw and ports > 1023?
Message-ID: <19991005161522.A99545@dan.emsphone.com>
References: <85256801.006877BD.00@EPAHUB2.RTP.EPA.GOV>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
In-Reply-To: <85256801.006877BD.00@EPAHUB2.RTP.EPA.GOV>
X-OS: FreeBSD 4.0-CURRENT
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

In the last episode (Oct 05), Jenkins.Mike@epamail.epa.gov said:
> >> How do you say "ports > 1023" in ipfw? I see the port-port syntax
> >> but that is for a limited range of ports.
> 
> Dan Nelson replied:
> >port 1024-65535
> 
> Ruslan Ermilov replied with ipfw(8) and:
> >So, we say "1024-".
> 
> My second sentence in the original post hinted about this but ... In
> the ipfw(8) manual page it says:
> 
>   "A range may only be specified as the first value, and the length
>   of the port list is limited to IP_FW_MAX_PORTS (as defined in
>   /usr/src/sys/netinet/ip_fw.h) ports."
> 
> IP_FW_MAX_PORTS is 10 so the maximum number of ports listed is 10. So
> 20-29 would be ok (and so would 20-24,50,60,70,80,90) but 1024-65535
> is NOT ok and probably results in 1024-1033.  I think the intent is
> to allow a small number of ports on a single rule rather than having
> multiple rules.  Eg:

The ports are stored internally as an array of 10 numbers; if the
IP_FW_F_SRNG flag is set for the rule, the first two ports in the array
are interpreted as a range.

So you can have a range and it can be as wide as you like, but it must
be specified first in the port list, and you can only have one range
per rule.

-- 
	Dan Nelson
	dnelson@emsphone.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message