firewall rules for a range of ip addresses

Discussion in 'other firewalls' started by RockLobster, Nov 27, 2017.

  1. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,089
    Its been a while since I made manual firewall rules and the firewall has very little documentation except to say you can use * to represent all addresses. I want to make a rule to allow a range of IP addresses
    172-217-0-0 to 172-217-255-255 but it doesn't say how to do that so I am guessing to use a subnet mask but I have forgotten

    Should that be
    172-217-0-0,255-255-255-255
    or
    172-217-0-0,172,217,255,255
    or
    172-217-0-0,0-0-255,255?
     
  2. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,851
    Location:
    Slovakia
    What firewall? I have always seen IP range in firewalls typed normally, with commas and a dash between IPs, no spaces, a comma after setting up another IP, like for Windows Firewall:

    netsh advfirewall firewall add rule name="POP Peeper IMAP" dir=out action=allow protocol=TCP remoteip=94.100.176.0-94.100.183.255,217.69.136.0-217.69.141.255 remoteport=143,587 program="%ProgramFiles(x86)%\POP Peeper\POPPeeper.exe"
     
  3. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,027
    A network/range would be something like this:
    172.217.0.0-172.217.255.255
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,089
    Yes but the firewall I'm testing is noroot firewall for android and it doesn't want to accept that.
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,425
    In NoRoot - Don't do range. Type in 172.217.0.0/32 then use dropdown to select a port, or all ports (*)
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    Shouldn't that be 172.217.0.0/16 ? Assuming it's dealing with ipv4 addressing, this will reserve the first 16 bits to the network portion of the address, and the final 16 bits to the hosts portion.
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,425
    Yes, it should be /16. Sorry for the careless answer :)
    I just confirmed so with the CIDR calculator.
    In any case, NoRoot accepts CIDR notation instead of ranges.
     
  8. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,089
    I thought 172.217.0.0/16 was working but apparently it's not. I am still getting connection requests to IP addresses within the allowed range...
     
  9. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,093
    Location:
    Canada
    There is a Wilders thread here on the firewall, and based on some of the images posted for custom filters, it looks like you may have to set the range as per the following example:

    Code:
    172.271.*.*:80
    this would give you the network address range you're looking for, restricted to port 80. If you want any port you would use an "*" (without quotes).
     
  10. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,425
    /16 Seems to be working here - all packets went to Pending access, and syncing contacts didn't work. OS monitor showed Syn_Sent and no established connection. I made the rule in Pre-Filter.
    Maybe that's not a good test.

    Edit: (1) I deleted a picture, I posted earlier, of just one application (wasn't a good demo). When 172.217.x.x range was blocked, Android subsequently redirected things to another IP. To completely block this stuff use ...
    (2) another syntax *.1e100.net and (*) for port.
    Is it a good idea or not, I'm not sure. It knocked out a lot of stuff - google account manager, google play services and framework, gmail (but gmail worked without 1e100.net), and other such.
    (3) also this seems to have worked 172.217.*.*:*

    I've been looking at Access Log to see what exactly is or is not being blocked.
     
    Last edited: Nov 28, 2017
  11. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,089
    Oh so you CAN use * to represent the subnet? That was one of the first things I tried but it kept saying invalid format, I'll give that another shot and see.
    Edit:
    It seems to be a small bug in noroot that says invalid format while you're typing in an IP range using * to mean the subnet, the invalid format message dissapears when you finish typing it in.
     
    Last edited: Nov 29, 2017
Loading...