[ previous ] [ next ] [ threads ]
 
 From:  "Brandon Holland" <brandon at cookssaw dot com>
 To:  "'Stephen Angell'" <stephen dot angell at gbsd dot org>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] rules rule me
 Date:  Mon, 23 Feb 2004 15:00:57 -0600 
> -----Original Message-----
> From: Stephen Angell [mailto:stephen dot angell at gbsd dot org]
> Sent: Monday, February 23, 2004 3:01 PM
> To: Brandon Holland
> Subject: Re: [m0n0wall] rules rule me
> 
> "Brandon Holland" <brandon at cookssaw dot com> writes:
> >
> >Opening a port in your firewall won't magically cause GRC to see that
> >the port is open.
> >
> >A PASS rule bypasses the firewall.  If there is a place for the
packet
> >to go once it passes the firewall rule (to say your listening SMTP
> >server on port 25) then GRC will see the mail server and tell you the
> >port is open.
> >
> >If however you have a rule to PASS with nothing to pass to (if you
> >haven't set NAT on the port or m0n0wall doesn't have the port open)
> >it'll hit the top stack and return a reset packet, telling GRC it's
> >"closed".
> 
> Sure enough, I started Netmeeting and GRC now says it open. Thanks for
the
> education. I am still unable to get it, Netmeeting, working but at
least I
> know it is not the rule that is causing me a problem.
> >
> >
> >This is called Classless Interdomain Routing (CIDR)  I believe it is
> >anyway, I'm not looking it up and I've heen out of cisco for a
while...
> >
> >At any rate, to keep things brief: 32 is a single host, 24 is
> >255.255.255.0, 16 is 255.255.0.0, 8 is 255.0.0.0, 0 is the world
> >
> >The /number corresponds with the number of bits you want to use as
the
> >network number.  (Leaving what's left as the host number)
> >
> >For a 255.255.255.0 mask the first three octets are network numbers,
the
> >last is host.   255 is represented by 8 "on" bits and  8*3 equals 24
so
> >hence the /24 for the typical class C address.
> >
> OK, gotta read up on this one. One question: Is this the mechanism to
> specify a range of IPs to apply a rule to instead of creating a rule
for
> each IP? A simple yes or now would suffice. If yes, I can then go and
> learn CIDR to figure it out. If no, I guess I have to specify a rule
for
> each IP.
> 
> Thanks for your reply Brandon ... and your patience with a newbie such
as
> me.
> 

No, it's the replacement for the "old fashioned" subnetting (allows for
more thorough use of the ipv4 space - since it's quickly being used up)

What you're talking about will happen when the new ipfilter comes out
(whenever that may be)

It's just another way of specifying either a host or a network (subnet)

Brandon

> 
> >
> >Brandon
> 
> 
> 
> Stephen
>