The address range object describes a continuous range of IPv4 addresses. (Arbitrary address ranges for IPv6 is not supported.) To create a new address rRange object, use the main menu
option. Its dialog provides the following entry fields:Name:
The name of the address range object
Range start:
The address of the start of the range.
Range end:
The address of the end of the range.
Comment:
A free-form text field used for comments.
The address range is inclusive; that is, both the start and the end addresses are included in the range.
When the address range object is used in a rule, Firewall Builder replaces it with a list of addresses equivalent to the specified range. The program tries to generate the most economical representation of the range using a combination of subnets of different lengths. Consider the address range object shown above. This address range object represents IP addresses between 192.168.1.100 and 192.168.1.160 (inclusively). It would be wasteful to generate 61 iptables commands to represent this range. Instead, the compiler uses a combination of several subnets of different lengths and ends up with the following:
$IPTABLES -A FORWARD -s 192.168.1.100/30 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.104/29 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.112/28 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.128/27 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -s 192.168.1.160 -m state --state NEW -j ACCEPT
Here is how the generated configuration looks for PF (this is essentially the same, except it uses tables for brevity):
table <tbl.r0.s> { 192.168.1.100/30 , 192.168.1.104/29 , 192.168.1.112/28 , \ 192.168.1.128/27 , 192.168.1.160 } pass in quick inet from <tbl.r0.s> to any keep state
Just for completeness, let's look at the configuration generated for the same rule for Cisco IOS access lists. This is really just a fragment of the generate router access list configuration because generated ACLs are attached to interfaces and, since the rule in the example was not associated with any interfaces, it is attached to all of them. Here we show only one generated ACL:
ip access-list extended inside_in ! ! Rule 0 (global) ! ! permit ip 192.168.1.100 0.0.0.3 any permit ip 192.168.1.104 0.0.0.7 any permit ip 192.168.1.112 0.0.0.15 any permit ip 192.168.1.128 0.0.0.31 any permit ip host 192.168.1.160 any exit
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.