(no subject)
From: Robert Chalmers (robert_at_the-mission-of-our-lady-of-fatima.org)
Date: 12/24/03
- Previous message: Ruslan Ermilov: "Re: interface bonding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <freebsd-security@freebsd.org> Date: Wed, 24 Dec 2003 13:47:39 +1000
The man page gives this example, however, when I attempt to use it, it ssems
to block the whole set?
Could someone tell me what's going wrong here please. Thanks heaps..
This works,
${fwcmd} add deny log all from any to 203.1.96.1 in via ${oif}
This blocks the whole IP block, not just the list?
${fwcmd} add deny log all from any to 203.1.96.0/24{2,6-25,27-154,156-19 9,204-254} in via ${oif}
the man page bit...
list: {num | num-num}[,list]
Matches all addresses with base address addr (specified as a
dot-
ted quad or a hostname) and whose last byte is in the list
between braces { } . Note that there must be no spaces between
braces and numbers (spaces after commas are allowed). Elements
of the list can be specified as single entries or ranges. The
masklen field is used to limit the size of the set of
addresses,
and can have any value between 24 and 32. If not specified, it
will be assumed as 24.
This format is particularly useful to handle sparse address
sets
within a single rule. Because the matching occurs using a bit-
mask, it takes constant time and dramatically reduces the com-
plexity of rulesets.
As an example, an address specified as 1.2.3.4/24{128,35-55,89}
will match the following IP addresses:
1.2.3.128, 1.2.3.35 to 1.2.3.55, 1.2.3.89 .
Thanks
Robert
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Ruslan Ermilov: "Re: interface bonding"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
