Security Guy escribió:
> specifically regarding PIX
>
> Object groups do make ACL management a whole lot easier, but you're
> still stuck specifying hosts or contiguous networks within the group,
> you can't just put in a range like 192.168.10.15-28 that doesn't
> summarize nicely.
Mmmm. I was thinking and experimenting with several subnet calculators,
and I conclude that the only ranges that can be specifyed are of the
kind IP/CIDR, because if you specify something like 192.168.1.20-30 it
can mean that range of ten IPs (in this case, in other cases it can be
several IPs), or it can mean:
192.168.1.20/255.255.255.252
192.168.1.24/255.255.255.252
192.168.1.28/255.255.255.254
192.168.1.30/255.255.255.255
which aren't in the same network range... In any case, you cannot
specify which of the two options you want, and IPTables documentation
doesn't say it.
I think that this is one of the reasons why the ip-range option is not a
very useful one, and is only implemented (I suppose) in IPTables 2.4 and
2.6.
-Sergio
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|