bad@, let me explain my question to you again. let's say you want to exclusively allow packets from the 192.168.64.0 neighborhood for some whatever security reasons. pass from 192.168.64.7/24 } group default { block all } The above rules will not match any packet from the 192.168.64 neighborhood hence goes to default and block them. (But you actually intended to pass them.) this is because, when say a packet coming in has src addr to be : 192.168.64.2, NPF applies the mask to the incoming packet: (192.168.64.2 & 255.255.255.0) ==> 192.168.64.0. Then BPF directly compares 192.168.64.7(on rule without mask) to 192.168.64.0(masked ip from packet) Since 192.168.64.7 != 192.168.64.0, hence skips that packet. The rules as follows match. Hence you actually get to pass them Here, after masking 192.168.64.2 & 255.255.255.0, you get 192.168.64.0 and BPF compares directly to unmasked ip on rule(192.168.64.0) hence matches. group “ext” on $intf { pass from 192.168.64.0/24 } group default { block all } My main question is, I got informations on the internet that it is also not wrong to write 192.168.64.7/24 to refer to a sub network. So should we allow 192.168.64.7/24 to match packets from the 192.168.64 neighborhood. Because right now, only 192.168.64.0/24 matches the neighbourhood. Or any non-zero host bit in the mask format shouldn’t match.
Emmanuel |