Firewall Wizards mailing list archives
Re: IP Ranges
From: "Security Guy" <security () sligoinc com>
Date: Thu, 29 Mar 2007 16:51:26 -0400
specifically regarding PIX Object groups do make ACL management a whole lot easier, but you're still stuck specifying hosts or contiguous networks within the group, you can't just put in a range like 192.168.10.15-28 that doesn't summarize nicely. On 3/28/07, Fetch, Brandon <bfetch () tpg com> wrote:
Object groups is where I was headed. The groups can take on networks, hosts, ports and can then be used in place of where an ACL would go. I happen to use object groups to define a block of allowed inbound sources and use that to define the ACL as the source. Keeps me from having to selectively manage an ACL. The ACL stays put and I merely mange the group. HTH, Brandon ________________________________ From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Jason Gervia Sent: Tuesday, March 27, 2007 3:48 PM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] IP Ranges Hello, In regards to cisco PIX - there's no real way to specify a 'range' option with regards to IP addresses. I'd suggest trying object groups and specifying which hosts you would like. In IOS, you could potentially use subnet masks that specified 2,4,8,16, etc hosts to get the equivalent of a range, but I believe the stateful firewalling that is part of the pix won't allow that (it will deny src/destinations of networks or broadcast networks). I agree, it would be a great thing for cisco to add in a later code release. Unfortunately it's not here yet. --Jason On 3/26/07, Sergio Pozo Hidalgo <sergio () lsi us es> wrote: Hi all, I have been searcing in the list and in google about how to specify ip ranges in different low level firewall languages. I have read that it is possible to do that with iptables using --ip-range parameter. But I could'nt find any information reagarding PIX or PF using a syntax like iptables one. I know it is possible to specify contiguous and non-contiguous ip ranges using subnets (Subnet Calculator is a good application for that), and a combination of deny and permit rules. But the question is if there is a way to specify a range using the easy-to-use format of iptables: 192.168.0.1-192.168.2.20 (I know there is a mix of subnets...) Thank you very much in advance. Best regards, -- Sergio Pozo Hidalgo Quivir Research Group <www.lsi.us.es/~quivir> University of Seville (Spain) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards This message is intended only for the person(s) to which it is addressed and may contain privileged, confidential and/or insider information. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Any disclosure, copying, distribution, or the taking of any action concerning the contents of this message and any attachment(s) by anyone other than the named recipient(s) is strictly prohibited. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- -Karl _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IP Ranges Sergio Pozo Hidalgo (Mar 26)
- Re: IP Ranges Jason Gervia (Mar 27)
- Re: IP Ranges Fetch, Brandon (Mar 29)
- Re: IP Ranges Security Guy (Mar 29)
- Re: IP Ranges Sergio Pozo Hidalgo (Mar 30)
- Re: IP Ranges Fetch, Brandon (Mar 29)
- Re: IP Ranges Jason Gervia (Mar 27)