5.2.13. Address Range Object

Figure 5.59. The Address Range Object

The Address Range Object

The address range object describes a continuous range of IPv4 addresses. (Arbitrary address ranges for IPv6 is not supported.) To create a new address rRange object, use the main menu New Object / New Address Rangeoption. Its dialog provides the following entry fields:

  • Name:

    The name of the address range object

  • Range start:

    The address of the start of the range.

  • Range end:

    The address of the end of the range.

  • Comment:

    A free-form text field used for comments.

The address range is inclusive; that is, both the start and the end addresses are included in the range.

When the address range object is used in a rule, Firewall Builder replaces it with a list of addresses equivalent to the specified range. The program tries to generate the most economical representation of the range using a combination of subnets of different lengths. Consider the address range object shown above. This address range object represents IP addresses between 192.168.1.100 and 192.168.1.160 (inclusively). It would be wasteful to generate 61 iptables commands to represent this range. Instead, the compiler uses a combination of several subnets of different lengths and ends up with the following:

$IPTABLES -A FORWARD  -s 192.168.1.100/30  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.104/29  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.112/28  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.128/27  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -s 192.168.1.160  -m state --state NEW  -j ACCEPT 
      

Here is how the generated configuration looks for PF (this is essentially the same, except it uses tables for brevity):

table <tbl.r0.s> { 192.168.1.100/30 , 192.168.1.104/29 , 192.168.1.112/28 , \
192.168.1.128/27 , 192.168.1.160 } 

pass in   quick inet  from <tbl.r0.s>  to any keep state
      

Just for completeness, let's look at the configuration generated for the same rule for Cisco IOS access lists. This is really just a fragment of the generate router access list configuration because generated ACLs are attached to interfaces and, since the rule in the example was not associated with any interfaces, it is attached to all of them. Here we show only one generated ACL:

ip access-list extended inside_in
! 
! Rule  0 (global)
! 
! 
  permit ip 192.168.1.100 0.0.0.3 any  
  permit ip 192.168.1.104 0.0.0.7 any  
  permit ip 192.168.1.112 0.0.0.15 any  
  permit ip 192.168.1.128 0.0.0.31 any  
  permit ip host 192.168.1.160 any  
exit
      
 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.