Configuring IPFW IP range [FreeBSD-questions] {offlist}
Robert Bonomi
bonomi at mail.r-bonomi.com
Mon Apr 5 00:11:56 UTC 2010
> From owner-freebsd-questions at freebsd.org Sun Apr 4 08:12:11 2010
> Date: Sun, 4 Apr 2010 09:11:47 -0400
> From: Carmel NY <carmel_ny at hotmail.com>
> To: freebsd-questions at freebsd.org
> Subject: Configuring IPFW IP range
>
> This is my first attempt at configuring IPFW. I have it up and running;
> however, I am not quite sure how to accomplish configuring it to block
> an IP range.
>
> Assume an IP range: 219.128.0.0 to 219.137.255.255
>
> That is an actual range: CHINANET Guangdong province network
>
> I want to block the entire range. I am not sure how to do it in IPFW. I
> have read the 'man' pages; however, I am not getting the syntax correct
> since I cannot get the range added.
>
CIDR ranges have to: (a) start on a 'power of 2' address, (b) be a 'power of two'
in size, and (c) be no larger than the 'power of 2' factor for the starting
address. This range is _not_ that way [fails (b)], so you'll have to do it with
multiple entries.
i.e., one for "219.128.0.0/13" which will catch 219.128.0.0 - 219.135.255.255
and a 2nd for "219.136.0.0/15" which will catch 219.136.0.0 - 219.137.255.255
Life can get messier, when rule 3 comes into play, consider the block
219.130.0.0 to 219.139.255.255
219.130.0.0 is on a /15 boundary, so that's the max block size you can use
for tht starting address.
219.130.0.0/15 catches 219.130.0.0 - 219.131.255.255
next, you can start with 219.132.0.0, which is a /14, and block a /14 wth
219.132.0.0/14 catches 219.132.0.0 - 219.135.255.255
now, 219.136.0.0 is a /13 so you could block that big with just more rule,
if needed, (BUT, you only need another /14, to cover the remainder of the
group of 10 /16s that the initial block includes. thus, lastly:
219.136.0.0/14 catches 219.136.0.0 - 219.139.255.255
This should help you get the syntax right.
More information about the freebsd-questions
mailing list