On 1-8-2016 07:22, Julian Elischer wrote: > On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote: >> >> I am still a little bit amazed how ipfw come to accept incorrect CIDR >> ranges and arbitrarily moves the start/end addresses in order to >> achieve CIDR conformity, and that without any further notice, and that >> given that ipfw can be considered as being quite relevant to system >> security. Or, may I assume that ipfw knows always better than the user >> what should be allowed or denied. Otherwise, perhaps I am the only one >> ever who input incorrect CIDR ranges for processing by ipfw. > it's not so amazing when you think about it. The code comes from the > routing table.. > > In this context a.b.c.d/N means "the range of addresses containing > a.b.c.d, masked to a length of N". there is no specification that > a.b.c.d is the first address of the range. I have relied upon this > behaviour many times.
I happily agree with Julian.... Rarely have I given the exact address of a router and it's net much thought. And apply happily a.b.c.27/26 in ipfw, assuming that ipfw would figure out what the actual network part of the address was. --WjW _______________________________________________ freebsd-ipfw@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"