[Shorewall-users] How to allow specific services for machines in LAN behind router?

Bram Mertens bram-mertens at linux.be
Mon Feb 14 12:01:51 PST 2005


On Mon, 2005-02-14 at 11:46 -0800, Tom Eastep wrote:
[...] 
> > If I understand this correctly this would allow ssh for machines with an
> > IP address between 192.168.1.0 and 192.168.1.255.
> > 
> > Is there a way to allow only the IP addresses between 192.168.1.100 and
> > 192.168.1.149?
> > 
> 
> When working with networks, it is always best to pretend that human
> beings were given either 8 or 16 fingers rather than 10. Then you would
> be thinking of "IP addresses between 192.168.1.128 and 192.168.1.159"
> which would be:
> 
> ACCEPT	net:192.168.1.128/27	fw	tcp	22

/27 because that would be the VLSM with a Subnet Mask of 255.255.255.224
(as per Table 3. VLSM in the Shorewall Setup Guide)

> But if you don't sleep well unless all of the boundaries in your life
> are at multiples of 10 then:
[...]
> (see why powers of 2 are preferred to multiples of 10?)

Point taken...

<scratch my head>

So...

It would be easier to configure the dhcp of my router to provide IP
addresses starting from 192.168.1.128 rather than 192.168.1.100 and have
it assign only 31 addresses in stead of 50.  That way I can use the 
ACCEPT	net:192.168.1.128/27	fw	tcp	22
rule you suggested, right?

TIA

Bram
-- 
# Mertens Bram "M8ram"   <bram-mertens at linux.be>   Linux User #349737 #
# debian testing            kernel 2.6.8-1-686     i686     512MB RAM #
# 20:54:36 up 6 days, 41 min,  7 users,  load average: 1.34, 0.93, 0.74 #



More information about the Shorewall-users mailing list