From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: quick syntax query Date: Mon, 07 Jun 2004 07:54:21 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1086609260.21179.4.camel@localhost> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: "Knight, Steve" Cc: "'netfilter@lists.netfilter.org'" On Mon, 2004-06-07 at 06:53, Knight, Steve wrote: > Hi there > > Can one use syntax other than CIDR notation when defining things like > networks? > > i.e. it's common to see > > LAN_RANGE="192.168.0.0/24" > > in rule bases, but I would like to use > > DODGY_RANGE="192.168.0.1-5" > GOOD_RANGE="192.168.0.6-30" > BAD_BAD_RANGE="192.168.31-40" > > > a la `nmap` syntax. > > Is this something netfilter can handle? > Yes, besides using CIDR and Dotted Decimal notation, one can apply the IPRange patch-o-matic patch and use a rule such as iptables -A FORWARD -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT We use it all the time in the ISCS project. If you do not want to patch, you can use SubnetCreator (http:subnetcreator.sourceforge.net) to turn a range into a list of subnets and then make rules for each of the subnets. If you are using Qt, it also provides a series of routines to do this programatically. -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net