[ previous ] [ next ] [ threads ]
 
 From:  Don Munyak <don dot munyak at gmail dot com>
 To:  "Jewell, Mike" <mjewell at law dot umaryland dot edu>
 Cc:  DLStrout <dstrout at maine dot rr dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Firewall ip address grouping for rules ....
 Date:  Mon, 14 Mar 2005 15:59:34 -0500 
here's another good link
http://www.learntosubnet.com/


On Mon, 14 Mar 2005 10:47:11 -0500, Jewell, Mike
<mjewell at law dot umaryland dot edu> wrote:
> You may be able to accomplish this by adding deny's for individual
> address's, then add an allow for a range (by figuring a correct subnet mask.
> 
> Ie.
> I want .9,.10,.11,.13 & .14 to go through,  but not .12
> 
> Deny .8 (the subnet address in this case)
> Deny .12 (the Address to be blocked
> Deny .15 (the broadcast in this case)
> Allow .8/29 (255.255.255.248 mask)
> 
> Simple rules always tend to make more sense to me... Just make sure to use
> the description field to write notes to yourself so you don't go "What the
> hell was I doing here??" in a year when you go to look at the rules...
> 
> If you need help figuring out subnet masks,  go here and get the Subnet
> calculator,  it's very well written.
> 
> http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm
> 
> -Mike
> 
> -----Original Message-----
> From: Don Munyak [mailto:don dot munyak at gmail dot com]
> Sent: Monday, March 14, 2005 9:43 AM
> To: DLStrout
> Cc: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] Firewall ip address grouping for rules ....
> 
> Why not add DENY ACL's first for specific nodes followed by PERMITS
> for the entire range. As the packet hits the FW, if it matches the
> DENY first, it will be tossed.
> 
> just a thought
> 
> On Thu, 10 Mar 2005 20:21:44 -0500, DLStrout <dstrout at maine dot rr dot com> wrote:
> > All,
> > Looking for some direction on grouping address in firewall rules.  I
> > would like to allow only host addresses X.X.X.10,11,12 & 14 .... etc,
> > etc --> to the wan and I don't want to have to write a seperate rule for
> > each (57 total) non-sequenchial host address.
> >
> > And, by the way ... I can not re-subnet to accomplish this!!
> >
> > If this is not a possibility, then maybe it would better plased as a
> > feature request.
> >
> > BTW, have I mentioned ... A++++ product !!!!  m0n0 rules !!
> >
> > DLStrout
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>