[ previous ] [ next ] [ threads ]
 
 From:  "Jewell, Mike" <mjewell at law dot umaryland dot edu>
 To:  DLStrout <dstrout at maine dot rr dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Firewall ip address grouping for rules ....
 Date:  Mon, 14 Mar 2005 10:47:11 -0500
You may be able to accomplish this by adding deny's for individual
address's, then add an allow for a range (by figuring a correct subnet mask.

Ie.
I want .9,.10,.11,.13 & .14 to go through,  but not .12

Deny .8 (the subnet address in this case)
Deny .12 (the Address to be blocked
Deny .15 (the broadcast in this case)
Allow .8/29 (255.255.255.248 mask)

Simple rules always tend to make more sense to me... Just make sure to use
the description field to write notes to yourself so you don't go "What the
hell was I doing here??" in a year when you go to look at the rules...

If you need help figuring out subnet masks,  go here and get the Subnet
calculator,  it's very well written.

http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm

-Mike

-----Original Message-----
From: Don Munyak [mailto:don dot munyak at gmail dot com] 
Sent: Monday, March 14, 2005 9:43 AM
To: DLStrout
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Firewall ip address grouping for rules ....

Why not add DENY ACL's first for specific nodes followed by PERMITS
for the entire range. As the packet hits the FW, if it matches the
DENY first, it will be tossed.

just a thought


On Thu, 10 Mar 2005 20:21:44 -0500, DLStrout <dstrout at maine dot rr dot com> wrote:
> All,
> Looking for some direction on grouping address in firewall rules.  I
> would like to allow only host addresses X.X.X.10,11,12 & 14 .... etc,
> etc --> to the wan and I don't want to have to write a seperate rule for
> each (57 total) non-sequenchial host address.
> 
> And, by the way ... I can not re-subnet to accomplish this!!
> 
> If this is not a possibility, then maybe it would better plased as a
> feature request.
> 
> BTW, have I mentioned ... A++++ product !!!!  m0n0 rules !!
> 
> DLStrout
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch