From nobody Fri Jun 07 18:32:12 2024 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VwqYj0cfbz5M1sB for ; Fri, 07 Jun 2024 18:32:25 +0000 (UTC) (envelope-from brett@lariat.net) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 4VwqYh39ZBz58MF for ; Fri, 7 Jun 2024 18:32:24 +0000 (UTC) (envelope-from brett@lariat.net) Authentication-Results: mx1.freebsd.org; none Received: from Toshi.lariat.net (localhost.lariat.org [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id MAA16230; Fri, 7 Jun 2024 12:32:14 -0600 (MDT) Message-Id: <202406071832.MAA16230@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 07 Jun 2024 12:32:12 -0600 To: Jos Chrispijn , FreeBSD Mailing List From: Brett Glass Subject: Re: IPFW blocking ip ranges In-Reply-To: <2207a201-691f-43c5-b76a-565af11ab9f8@cloudzeeland.nl> References: <2207a201-691f-43c5-b76a-565af11ab9f8@cloudzeeland.nl> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_226440583==.ALT" X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:19092, ipnet:66.62.228.0/22, country:US] X-Rspamd-Queue-Id: 4VwqYh39ZBz58MF --=====================_226440583==.ALT Content-Type: text/plain; charset="us-ascii"; format=flowed IPFW has the ability to block subnets (ranges that can be matched with a base address and bitmask), e.g. 1.184.192.0/18, with just one pattern within a rule. Arbitrary ranges and discontiguous sets that can't be matched that way can use: * An "or block" (several patterns enclosed within braces and separated by "or"); * Multiple rules; or * An "address set" (a subnet specification followed by a list of addresses within a subnet that's /24 or smaller). The IPFW man page gives a grammar and shows examples. Search for "addr-list" within the page to find the right section. --Brett At 11:41 AM 6/7/2024, you wrote: >Can you tell me how to block in ipfw a certain ip range in one >line, like 1.184.192.0 - 1.184.255.255 >Thanks. --=====================_226440583==.ALT Content-Type: text/html; charset="us-ascii" IPFW has the ability to block subnets (ranges that can be matched with a
base address and bitmask), e.g. 1.184.192.0/18, with just one pattern within
a rule. Arbitrary ranges and discontiguous sets that can't be matched that
way can use:

* An "or block" (several patterns enclosed within braces and separated by "or");

* Multiple rules; or

* An "address set" (a subnet specification followed by a list of addresses within
a subnet that's /24 or smaller).

The IPFW man page gives a grammar and shows examples. Search for "addr-list"
within the page to find the right section.

--Brett

At 11:41 AM 6/7/2024, you wrote:
 
Can you tell me how to block in ipfw a certain ip range in one line, like 1.184.192.0 - 1.184.255.255
Thanks.
--=====================_226440583==.ALT--