hosts.allow not always working... misses some IPs
Uwe Doering
gemini at geminix.org
Tue Dec 2 00:04:54 PST 2003
Kerry B. Rogers wrote:
>>[...]
>>I think the netmask is wrong. When you apply the third octet of the
>>netmask (251) to the IP address (220) the result will be 216, which is
>>then compared with 220. Since the numbers differ the rule doesn't
>>apply, which is to be expected.
>>
>>Are you sure that the netmask's third octet shouldn't have been 254, 252
>>or 248 instead for proper masking, depending on the range of addresses
>>you'd like to cover?
>
> Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm
> confused about how one
> would determine the proper netmask. I think my formula is wrong and would
> like to get it right. I'm trying to convert the ARIN data line:
>
> arin|CA|ipv4|199.185.220.0|1280|19940222|assigned
>
> to a hosts.allow line and come up with:
>
> smtp : 199.185.220.0/255.255.251.0 : deny
>
> using the formula:
>
> MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") -
> (IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP)))
>
> or, translated symbolically:
>
> Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0
>
> which (mathematically) is:
>
> Mask = 4294967295 - 3350847743 - 3350846464
>
> I guess using 255.255.255.255 and subtracting the difference of the IP range
> is not the proper way to arrive at a netmask. What is? Anyone?
Netmasks are supposed to be calculated bit-wise, not by subtraction, and
they can cover only address ranges that are a power of two. So you need
two ranges in your case: the first 1024 addresses and the remaining 256
(adds up to 1280). In C syntax the formular for the netmask would be:
netmask = ^(number_of_addresses - 1);
This results in
smtp : 199.185.220.0/255.255.252.0 199.185.224.0/255.255.255.0 : deny
If you don't have a calculator with a binary mode you can easily do this
bit by bit on a piece of paper. First write down 1023 (1024 - 1) in
binary form (all 32 bits representing an IPv4 address), then invert the
bits, and finally convert them back into a decimal number. Do the same
for the second range (256 - 1), and adapt the base address for this
range accordingly.
Hope this explanation was clear enough.
Uwe
--
Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers
gemini at geminix.org | http://www.escapebox.net
More information about the freebsd-bugs
mailing list