Re: ipfw problem

From: Lee Smallbone (lee@kechara.net)
Date: 04/21/01


Date: Sat, 21 Apr 2001 18:25:13 +0100
To: Peter Pentchev <roam@orbitel.bg>
From: Lee Smallbone <lee@kechara.net>

Hi Peter,

 Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow
 ranges?? If the author listening...)

 I thought I had it for one minute, where I found that ${ip} isn't defined until later on
 in the script. No such luck.

 Ah well, thanks Peter!

--Lee

1/04/2001 23:07:10, Peter Pentchev <roam@orbitel.bg> wrote:

>On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote:
>> Hello Peter,
>>
>> 21/04/2001 22:54:10, Peter Pentchev <roam@orbitel.bg> wrote:
>>
>> >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote:
>> >> Hi there,
>> >>
>> >> The machine stops booting on either of these two rules, and I have to boot into
>> >> single user, remove the rules and reboot. What's wrong with them?
>> >>
>> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip}
>> >>
>> >> I also get the same problem on this rule (in place of the one above):
>> >>
>> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip}
>> >
>> >Where exactly in the boot process does it 'stop'? What application/program
>> >is it trying to execute? Or does ipfw itself hang when adding those rules?
>>
>> ipfw hangs during boot in trying to add rule 300.
>
>Well, I think there's something wrong with the rule itself. Nowhere in
>the ipfw manpage could I find a syntax for specifying addresses in
>an address-address format - it's either a single address, or address/bits,
>or address:mask. Though the fact that ipfw hangs is a little disturbing,
>I would advise that you rewrite this rule to use proper syntax, though
>that might be a little tricky - the address range you've specified does
>not fall under an easy mask :(
>
>Do you want to allow 213.46.0.*? If not, then try..
>
>${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip}
>${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip}
>${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip}
>${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip}
>${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip}
>
>(ick!)
>
>This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know
>it's ugly.
>
>G'luck,
>Peter
>
>--
>Do you think anybody has ever had *precisely this thought* before?
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>

--
Lee Smallbone
Kechara Internet
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: IPFW firewall and TCP ports
    ... table in my IPFW firewall to block them. ... The above is the first entry in my "rules" file. ... The problem is that these IPs are not being blocked. ... uses apaches features to block these address ranges ...
    (freebsd-questions)
  • Re: ipfw problem
    ... I know that some of the 'hardware' firewall boxes support IP ranges, ... >> Hi Peter, ... only another error, which occured after the range was specified, thus ipfw didn't ...
    (FreeBSD-Security)
  • Re: ipfw IP ranges
    ... In the last episode, Darek Milewski said: ... > trying to specify IP ranges in ipfw. ...
    (freebsd-questions)
  • Re: ipfw problem
    ... And about the ranges - ipfwis only a controlling interface to the kernel ... ipfw routines. ... It would be *much* harder for the kernel to compare every ... other firewalling system that implements ranges. ...
    (FreeBSD-Security)
  • Re[2]: ipfw problem
    ... PP> And about the ranges - ipfwis only a controlling interface to the kernel ... PP> ipfw routines. ... PP> packet's address against a range than it is to compare it against a netmask - ... PP> other firewalling system that implements ranges. ...
    (FreeBSD-Security)