Syntax base IP
budsz
budiyt at gmail.com
Tue May 13 02:32:30 UTC 2008
On Tue, May 6, 2008 at 3:59 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:
> budsz wrote:
>
> >
> > ipunlimit="192.168.0.100/32,10.35.4.1/32,202.129.189.42/32,\
> > 202.129.189.45/32,125.163.77.180/32,202.43.167.70/32,\
> >
> 202.43.167.72/32,202.43.161.119/32,202.10.32.10/32,202.93.20.22/32,\
> > 202.93.20.23/32,202.93.20.24/32,122.102.49.132/32,\
> > 202.43.161.124/32,202.93.247.26/32,202.93.247.28/32"
> >
> > ${fwcmd} add 100 pipe 1 ip from ${ippriviix} to { not ${ipunlimit} }
> > ${portlim} via ${ifint0}
> > ${fwcmd} add 101 pipe 1 ip from { not ${ipunlimit} } ${portlim} to
> > ${ippriviix} via ${ifint0}
> >
> > Executing firewall I got error message like this:
> > #sh /etc/rc.firewall
> > ipfw: opcode 6 size 33 wrong
> > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> > ipfw: opcode 2 size 33 wrong
> > ipfw: getsockopt(IP_FW_ADD): Invalid argument
> >
>
Hallo,
I got some problem here, these are the example of the rules i've set:
portlim="20-21,80,88,443,2009,8080,8088,10007,18755"
bwunlimit="64Kbit/s"
${fwcmd} pipe 1 config bw ${bwunlimit}
${fwcmd} table 1 add 10.35.4.1/32 1
${fwcmd} table 1 add 122.102.49.132/32 1
${fwcmd} table 1 add 125.163.77.180/32 1
${fwcmd} table 1 add 192.168.0.100/32 1
${fwcmd} table 1 add 202.10.32.10/32 1
${fwcmd} table 1 add 202.129.189.42/32 1
${fwcmd} table 1 add 202.129.189.45/32 1
${fwcmd} table 1 add 202.43.161.119/32 1
${fwcmd} table 1 add 202.43.161.124/32 1
${fwcmd} table 1 add 202.43.167.70/32 1
${fwcmd} table 1 add 202.43.167.72/32 1
${fwcmd} table 1 add 202.93.20.22/32 1
${fwcmd} table 1 add 202.93.20.23/32 1
${fwcmd} table 1 add 202.93.20.24/32 1
${fwcmd} table 1 add 202.93.247.26/32 1
${fwcmd} table 1 add 202.93.247.28/32 1
${fwcmd} add 100 pipe tablearg ip from ${ippriviix} to not "table(1)"
${portlim} via ${ifint0}
${fwcmd} add 101 pipe tablearg ip from not "table(1)" ${portlim} to
${ippriviix} via ${ifint0}
As a result, those ip addresses can pass. But any other ip adresses
(other than) those above could not be accessed, as if it were blocked.
My intention is to limit (NOT blocking) any other ip addresses (other
than) those ip's above. How could i use the 'not' keyword for above
case ?
Thank You
--
budsz
More information about the freebsd-questions
mailing list