ipfw divert filter for IPv4 geo-blocking
Julian Elischer
julian at freebsd.org
Mon Aug 1 05:22:28 UTC 2016
On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote:
>
> I am still a little bit amazed how ipfw come to accept incorrect CIDR ranges and arbitrarily moves the start/end addresses in order to achieve CIDR conformity, and that without any further notice, and that given that ipfw can be considered as being quite relevant to system security. Or, may I assume that ipfw knows always better than the user what should be allowed or denied. Otherwise, perhaps I am the only one ever who input incorrect CIDR ranges for processing by ipfw.
it's not so amazing when you think about it. The code comes from the
routing table..
In this context a.b.c.d/N means "the range of addresses containing
a.b.c.d, masked to a length of N". there is no specification that
a.b.c.d is the first address of the range. I have relied upon this
behaviour many times.
>
> Best regards
>
> Rolf
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list