ipfw IP ranges
Dan Nelson
dnelson at allantgroup.com
Wed Mar 9 08:27:16 PST 2005
In the last episode (Mar 09), Darek Milewski said:
> trying to specify IP ranges in ipfw. The man page is pretty brief in
> this respect, but I understand that I should be able to specify
>
> allow tcp from any to 1.2.3.0/25{14-24} 3389
>
> which should apply the rule to IP block of 1.2.3.14 through 1.2.3.24.
> However, I was just closing down 1.2.3.127 and noticed that a port
> that was closed was accessible. Turns out the rule above was
> matching traffic going to 1.2.3.127:3389.
>
> When running 'ipfw show' the allow from above is listed as
>
> allow tcp from any to 1.2.3.0/25 3389
Works for me on 5.3:
# ipfw add 400 allow tcp from any to "1.2.3.0/25{14-24}" 3389
00400 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389
# ipfw show
00400 0 0 allow tcp from any to 1.2.3.0/25{14-24} dst-port 3389
> So it looks like my original syntax enabled the rule for the whole /25
> subnet. Am I doing this wrong? If so, how can I specify ranges
> explicitly, meaning not using smaller subnets. IE: 1.2.3.14-27 instead
> of 1.2.3.14/28, which would not be very precise of a match. Perhaps I
> should be using /24 istead of /25?
Yes; the ipfw manpage has this example:
As an example, an address specified as 1.2.3.4/24{128,35-55,89}
will match the following IP addresses:
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
Although I think a much better syntax would be 1.2.3.{128,35-55,89}.
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-questions
mailing list