Re: [fw-wiz] IP Ranges



Security Guy escribió:
specifically regarding PIX

Object groups do make ACL management a whole lot easier, but you're
still stuck specifying hosts or contiguous networks within the group,
you can't just put in a range like 192.168.10.15-28 that doesn't
summarize nicely.

Mmmm. I was thinking and experimenting with several subnet calculators,
and I conclude that the only ranges that can be specifyed are of the
kind IP/CIDR, because if you specify something like 192.168.1.20-30 it
can mean that range of ten IPs (in this case, in other cases it can be
several IPs), or it can mean:
192.168.1.20/255.255.255.252
192.168.1.24/255.255.255.252
192.168.1.28/255.255.255.254
192.168.1.30/255.255.255.255

which aren't in the same network range... In any case, you cannot
specify which of the two options you want, and IPTables documentation
doesn't say it.
I think that this is one of the reasons why the ip-range option is not a
very useful one, and is only implemented (I suppose) in IPTables 2.4 and
2.6.

-Sergio
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] IP Ranges
    ... Object groups do make ACL management a whole lot easier, ... The groups can take on networks, ... ports and can then be used in place of where an ACL would go. ... In regards to cisco PIX - there's no real way to specify a 'range' option ...
    (Firewall-Wizards)
  • Re: [fw-wiz] IP Ranges
    ... hosts, ports and can then be used in place of where an ACL would go. ... I happen to use object groups to define a block of allowed inbound ... I have been searcing in the list and in google about how to specify ip ...
    (Firewall-Wizards)
  • Re: [fw-wiz] IP Ranges
    ... In regards to cisco PIX - there's no real way to specify a 'range' option ... I'd suggest trying object groups and ...
    (Firewall-Wizards)