Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}

[Carmel NY]

On Sun, 4 Apr 2010 19:11:42 -0500 (CDT), Robert Bonomi
 articulated:

> > From owner-freebsd-questi...@freebsd.org  Sun Apr  4 08:12:11 2010
> > Date: Sun, 4 Apr 2010 09:11:47 -0400
> > From: Carmel NY 
> > To: freebsd-questions@freebsd.org
> > Subject: Configuring IPFW IP range
> >
> > This is my first attempt at configuring IPFW. I have it up and
> > running; however, I am not quite sure how to accomplish configuring
> > it to block an IP range.
> >
> > Assume an IP range: 219.128.0.0 to 219.137.255.255
> >
> > That is an actual range: CHINANET Guangdong province network
> >
> > I want to block the entire range. I am not sure how to do it in
> > IPFW. I have read the 'man' pages; however, I am not getting the
> > syntax correct since I cannot get the range added.
> >
> 
> CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a
> 'power of two' in size, and (c) be no larger than the 'power of 2'
> factor for the starting address.  This range is _not_ that way [fails
> (b)], so you'll have to do it with multiple entries.
> 
> i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 -
> 219.135.255.255 and a 2nd for "219.136.0.0/15" which will catch
> 219.136.0.0 - 219.137.255.255
> 
> Life can get messier, when rule 3 comes into play,  consider the block
> 219.130.0.0 to 219.139.255.255
> 
> 219.130.0.0 is on a /15 boundary, so that's the max block size you
> can use for tht starting address.
>219.130.0.0/15   catches 219.130.0.0 - 219.131.255.255
> next, you can start with 219.132.0.0, which is a /14, and block a /14
> wth 219.132.0.0/14   catches 219.132.0.0 - 219.135.255.255
> now, 219.136.0.0 is a /13  so you could block that big with just more
> rule, if needed, (BUT, you only need another /14, to cover the
> remainder of the group of 10 /16s that the initial block includes.
> thus, lastly: 219.136.0.0/14   catches 219.136.0.0 - 219.139.255.255

Thanks! It was suggested that I try 'ipcalc' by another poster. I did,
and it works excellently. In any case, I do have to familiarize myself
more fully with IP addressing.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Configuring IPFW IP range [FreeBSD-questions] {offlist}

[Robert Bonomi]

> From owner-freebsd-questi...@freebsd.org  Sun Apr  4 08:12:11 2010
> Date: Sun, 4 Apr 2010 09:11:47 -0400
> From: Carmel NY 
> To: freebsd-questions@freebsd.org
> Subject: Configuring IPFW IP range
>
> This is my first attempt at configuring IPFW. I have it up and running;
> however, I am not quite sure how to accomplish configuring it to block
> an IP range.
>
> Assume an IP range: 219.128.0.0 to 219.137.255.255
>
> That is an actual range: CHINANET Guangdong province network
>
> I want to block the entire range. I am not sure how to do it in IPFW. I
> have read the 'man' pages; however, I am not getting the syntax correct
> since I cannot get the range added.
>

CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of 
two'
in size, and (c) be no larger than the 'power of 2' factor for the starting 
address.  This range is _not_ that way [fails (b)], so you'll have to do it with
multiple entries.

i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 - 219.135.255.255
and a 2nd for "219.136.0.0/15" which will catch 219.136.0.0 - 219.137.255.255

Life can get messier, when rule 3 comes into play,  consider the block
219.130.0.0 to 219.139.255.255

219.130.0.0 is on a /15 boundary, so that's the max block size you can use
for tht starting address.
   219.130.0.0/15   catches 219.130.0.0 - 219.131.255.255
next, you can start with 219.132.0.0, which is a /14, and block a /14 wth
   219.132.0.0/14   catches 219.132.0.0 - 219.135.255.255
now, 219.136.0.0 is a /13  so you could block that big with just more rule,
if needed, (BUT, you only need another /14, to cover the remainder of the 
group of 10 /16s that the initial block includes.  thus, lastly:
   219.136.0.0/14   catches 219.136.0.0 - 219.139.255.255

This should help you get the syntax right.



___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"