hosts.allow not always working... misses some IPs
Kerry B. Rogers
kbrogers at tinkertoys.net
Mon Dec 1 22:48:17 PST 2003
> > Kerry B. Rogers wrote:
> > Dear Whomever,
> >
> > I received an e-mail with the following header fragment:
> >
> > ====== cut here =======
> > Received: from priv-edtnes11-hme0.telusplanet.net (outbound03.telus.net
> > [199.185.220.222])
> > by tinkertoys.net (8.12.10/8.11.6) with ESMTP id hANMNpKS021237;
> > Sun, 23 Nov 2003 15:23:51 -0700 (MST)
> >
> > ====== cut here =======
> >
> > In my hosts.allow file (which usually rejects domains just fine) I have:
> >
> > ====== cut here =======
> > smtp : 199.185.220.0/255.255.251.0 : deny
> > ====== cut here =======
> >
> > The above listed e-mail should have been rejected but it wasn't. Is this
a
> > bug? Is a 975K host.allow file creating this problem? Please help...
>
> I think the netmask is wrong. When you apply the third octet of the
> netmask (251) to the IP address (220) the result will be 216, which is
> then compared with 220. Since the numbers differ the rule doesn't
> apply, which is to be expected.
>
> Are you sure that the netmask's third octet shouldn't have been 254, 252
> or 248 instead for proper masking, depending on the range of addresses
> you'd like to cover?
>
> Uwe
Uwe... how did you come up with netmask 251 applied to 220 equals 216? I'm
confused about how one
would determine the proper netmask. I think my formula is wrong and would
like to get it right. I'm trying to convert the ARIN data line:
arin|CA|ipv4|199.185.220.0|1280|19940222|assigned
to a hosts.allow line and come up with:
smtp : 199.185.220.0/255.255.251.0 : deny
using the formula:
MaskFromIPRange = DoubleToIPAddress(IPAddressToDouble("255.255.255.255") -
(IPAddressToDouble(strLastIP) - IPAddressToDouble(strFirstIP)))
or, translated symbolically:
Mask = 255.255.255.255 - 199.185.224.255 - 199.185.220.0
which (mathematically) is:
Mask = 4294967295 - 3350847743 - 3350846464
I guess using 255.255.255.255 and subtracting the difference of the IP range
is not the proper way to arrive at a netmask. What is? Anyone?
Thanks,
Kerry
More information about the freebsd-bugs
mailing list