Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 Apr 2010 06:58:26 -0400
From:      Carmel NY <carmel_ny@hotmail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: Configuring IPFW IP range  [FreeBSD-questions] {offlist}
Message-ID:  <BLU0-SMTP871DA8A28258CB4C4BFBCF93190@phx.gbl>
In-Reply-To: <201004050011.o350BgqF015947@mail.r-bonomi.com>
References:  <201004050011.o350BgqF015947@mail.r-bonomi.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 4 Apr 2010 19:11:42 -0500 (CDT), Robert Bonomi
<bonomi@mail.r-bonomi.com> articulated:

> > From owner-freebsd-questions@freebsd.org  Sun Apr  4 08:12:11 2010
> > Date: Sun, 4 Apr 2010 09:11:47 -0400
> > From: Carmel NY <carmel_ny@hotmail.com>
> > To: freebsd-questions@freebsd.org
> > Subject: Configuring IPFW IP range
> >
> > This is my first attempt at configuring IPFW. I have it up and
> > running; however, I am not quite sure how to accomplish configuring
> > it to block an IP range.
> >
> > Assume an IP range: 219.128.0.0 to 219.137.255.255
> >
> > That is an actual range: CHINANET Guangdong province network
> >
> > I want to block the entire range. I am not sure how to do it in
> > IPFW. I have read the 'man' pages; however, I am not getting the
> > syntax correct since I cannot get the range added.
> >
> 
> CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a
> 'power of two' in size, and (c) be no larger than the 'power of 2'
> factor for the starting address.  This range is _not_ that way [fails
> (b)], so you'll have to do it with multiple entries.
> 
> i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 -
> 219.135.255.255 and a 2nd for "219.136.0.0/15" which will catch
> 219.136.0.0 - 219.137.255.255
> 
> Life can get messier, when rule 3 comes into play,  consider the block
> 219.130.0.0 to 219.139.255.255
> 
> 219.130.0.0 is on a /15 boundary, so that's the max block size you
> can use for tht starting address.
>    219.130.0.0/15   catches 219.130.0.0 - 219.131.255.255
> next, you can start with 219.132.0.0, which is a /14, and block a /14
> wth 219.132.0.0/14   catches 219.132.0.0 - 219.135.255.255
> now, 219.136.0.0 is a /13  so you could block that big with just more
> rule, if needed, (BUT, you only need another /14, to cover the
> remainder of the group of 10 /16s that the initial block includes.
> thus, lastly: 219.136.0.0/14   catches 219.136.0.0 - 219.139.255.255

Thanks! It was suggested that I try 'ipcalc' by another poster. I did,
and it works excellently. In any case, I do have to familiarize myself
more fully with IP addressing.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BLU0-SMTP871DA8A28258CB4C4BFBCF93190>