ipfw divert filter for IPv4 geo-blocking
Willem Jan Withagen
wjw at digiware.nl
Tue Aug 2 13:14:51 UTC 2016
On 1-8-2016 07:22, Julian Elischer wrote:
> On 30/07/2016 10:17 PM, Dr. Rolf Jansen wrote:
>>
>> I am still a little bit amazed how ipfw come to accept incorrect CIDR
>> ranges and arbitrarily moves the start/end addresses in order to
>> achieve CIDR conformity, and that without any further notice, and that
>> given that ipfw can be considered as being quite relevant to system
>> security. Or, may I assume that ipfw knows always better than the user
>> what should be allowed or denied. Otherwise, perhaps I am the only one
>> ever who input incorrect CIDR ranges for processing by ipfw.
> it's not so amazing when you think about it. The code comes from the
> routing table..
>
> In this context a.b.c.d/N means "the range of addresses containing
> a.b.c.d, masked to a length of N". there is no specification that
> a.b.c.d is the first address of the range. I have relied upon this
> behaviour many times.
I happily agree with Julian....
Rarely have I given the exact address of a router and it's net much thought.
And apply happily a.b.c.27/26 in ipfw, assuming that ipfw would figure
out what the actual network part of the address was.
--WjW
More information about the freebsd-ipfw
mailing list