Configuring IPFW IP range

Carmel NY carmel_ny at hotmail.com
Sun Apr 4 17:04:16 UTC 2010 

On Sun, 04 Apr 2010 11:02:29 -0400, Ashley <ashley at cpufight.com>
articulated:

> On 04/04/2010 09:11 AM, Carmel NY wrote:
> > This is my first attempt at configuring IPFW. I have it up and
> > running; however, I am not quite sure how to accomplish configuring
> > it to block an IP range.
> >
> > Assume an IP range: 219.128.0.0 to 219.137.255.255
> >
> > That is an actual range: CHINANET Guangdong province network
> >
> > I want to block the entire range. I am not sure how to do it in
> > IPFW. I have read the 'man' pages; however, I am not getting the
> > syntax correct since I cannot get the range added.
> Carmel,
> 
> Have you tried something like what's mentioned in this excerpt quoted 
> below?:
> 
> Network-based filtering works similarly, and the network
> notation there utilizes either bitmasks or netmasks, for instance:
> 
> add 2000 allow all from 192.168.0.0/16 to any
> add 2100 deny all from any to 10.0.0.0:255.0.0.0
> 
> The first rule allows all traffic from the network whose IP range
> is 192.168.0.0-192.168.255.255. It uses a bitmask to indicate this. A
> bitmask specifies how many bits from the network address (192.168.0.0)
> should remain the same for matching packets. In this instance, the
> first 16 bits out of the 32 bit address will remain the same, and as
> the first 16 bits happen to be the first two octets, 192.168, all
> addresses whose source addresses have the first two octets as 192.168
> will be matched by this rule. The second rule accomplishes a similar
> thing using netmasks. The netmask indicate how many bits from the
> indicated network address should be used for rule matching. In the
> above example, for rule two, the netmask is 255.0.0.0. Its first
> octet is set with high bits; in other words, the first 8 bits are set
> high. This indicates to ipfw(8) that only packets with the first 8
> bits of the network address (10.0.0.0) should be matched. As the
> first 8 bits of the network address equal 10, then all packets whose
> destination address have a 10 for the first octet (all addresses
> between 10.0.0.0 and 10.255.255.255) will be matched by this rule,
> and then dropped, as indicated by the action.
> 
> 
> (This excerpt from http://www.freebsd-howto.com/HOWTO/Ipfw-HOWTO)

Thanks Maciej Suszko and Ashley. I used the ipcalc tool. I thought I
had seen something like that before; however, I was not able to recall
the name of the utility. I really have to study up on IPs and
networking.

-- 
Carmel
carmel_ny at hotmail.com

|::::=======
|::::=======
|===========
|===========
|

BACHELOR: A man who chases women and never Mrs. one.

More information about the freebsd-questions mailing list