Syntax base IP

budsz budiyt at gmail.com
Tue May 13 02:32:30 UTC 2008


On Tue, May 6, 2008 at 3:59 PM, Andrey V. Elsukov <bu7cher at yandex.ru> wrote:

> budsz wrote:
 >
 > >
 > > ipunlimit="192.168.0.100/32,10.35.4.1/32,202.129.189.42/32,\
 > >           202.129.189.45/32,125.163.77.180/32,202.43.167.70/32,\
 > >
 > 202.43.167.72/32,202.43.161.119/32,202.10.32.10/32,202.93.20.22/32,\
 > >           202.93.20.23/32,202.93.20.24/32,122.102.49.132/32,\
 > >           202.43.161.124/32,202.93.247.26/32,202.93.247.28/32"
 > >
 > > ${fwcmd} add 100 pipe 1 ip from ${ippriviix} to { not ${ipunlimit} }
 > > ${portlim} via ${ifint0}
 > > ${fwcmd} add 101 pipe 1 ip from { not ${ipunlimit} } ${portlim} to
 > > ${ippriviix} via ${ifint0}
 > >
 > > Executing firewall I got error message like this:
 > > #sh /etc/rc.firewall
 > > ipfw: opcode 6 size 33 wrong
 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > > ipfw: opcode 2 size 33 wrong
 > > ipfw: getsockopt(IP_FW_ADD): Invalid argument
 > >
 >

 Hallo,

 I got some problem here, these are the example of the rules i've set:


 portlim="20-21,80,88,443,2009,8080,8088,10007,18755"
 bwunlimit="64Kbit/s"


 ${fwcmd} pipe 1 config bw ${bwunlimit}

 ${fwcmd} table 1 add 10.35.4.1/32 1
 ${fwcmd} table 1 add 122.102.49.132/32 1
 ${fwcmd} table 1 add 125.163.77.180/32 1
 ${fwcmd} table 1 add 192.168.0.100/32 1
 ${fwcmd} table 1 add 202.10.32.10/32 1
 ${fwcmd} table 1 add 202.129.189.42/32 1
 ${fwcmd} table 1 add 202.129.189.45/32 1
 ${fwcmd} table 1 add 202.43.161.119/32 1
 ${fwcmd} table 1 add 202.43.161.124/32 1
 ${fwcmd} table 1 add 202.43.167.70/32 1
 ${fwcmd} table 1 add 202.43.167.72/32 1
 ${fwcmd} table 1 add 202.93.20.22/32 1
 ${fwcmd} table 1 add 202.93.20.23/32 1
 ${fwcmd} table 1 add 202.93.20.24/32 1
 ${fwcmd} table 1 add 202.93.247.26/32 1
 ${fwcmd} table 1 add 202.93.247.28/32 1

 ${fwcmd} add 100 pipe tablearg ip from ${ippriviix} to not "table(1)"
 ${portlim} via ${ifint0}
 ${fwcmd} add 101 pipe tablearg ip from not "table(1)" ${portlim} to
 ${ippriviix} via ${ifint0}

 As a result, those ip addresses can pass. But any other ip adresses
 (other than) those above could not be accessed, as if it were blocked.
 My intention is to limit (NOT blocking) any other ip addresses (other
 than) those ip's above. How could i use the 'not' keyword for above
 case ?

 Thank You

 --
 budsz


More information about the freebsd-questions mailing list