View Full Version : Authorizing Users by IP Range

Barry J. Stiefel
2005-08-12, 21:50
Authorizing Users by IP Range


I have a client that does not wish to enable user authentication. Their administrator believes that the extra login prompt would confuse his users. The client is a law firm, who wants to give full internet access to the attorneys and IT staff. The remaining secretary and support staff would only have email capabilities. The client's recommendation for access rights follow:

The entire firm fits within a single class C subnet. For attorneys and IT staff, hard coded IP addresses would be given to the workstations. For the remaining support staff, IP addresses would be assigned via DHCP.

Since the hard coded IP addresses would be in the lower range of this address range (a.b.c.10 - 30), and the DHCP addresses in the high range (a.b.c.100 - 250), would it be possible to define a rule in FW1 that expresses the low range gets full access, while the high range just gets SMTP?

I have been able to create two network objects in FireWall-1 by address range. However, I cannot get these objects to appear when I create a new rule. Is it possible to include an address range in the rules?

I know this sounds a bit unorthodox. However, the client is quite adamant about how their users get access. User authentication would work well in this situation, but is not an option. Provided there are no methods of using IP ranges to limit access, this option may have to be changed.


Address Range objects can not be used in the Security Policy. They can only be used in NAT rules. However, you can still do what you would like to do without having to resort to user authentication. You need to create several objects (a combination of networks and hosts) that capture that range and add them to a group. In your case, you could create the following network objects to cover the "low" range you specified:

a.b.c.10 with a subnet mask (covers hosts 10 and 11)
a.b.c.12 with a subnet mask (covers hosts 12 thru 15)
a.b.c.16 with a subnet mask (covers hosts 16 thru 23)
a.b.c.24 with a subnet mask (covers hosts 24 thru 27)
a.b.c.28 with a subnet mask (covers hosts 28 and 29)
a.b.c.30 as a "host" object (to cover 30)

You could do something similar with the 100-250 range, but I will leave that as an exercise for the reader.

-- PhoneBoy (http://www.phoneboy.com/bin/view.pl/Main/PhoneBoy) - 10 Jan 2004

FAQForm (http://www.phoneboy.com/bin/view.pl/FAQs/FAQForm) FAQs.Class: MiscellaneousFAQs (http://www.phoneboy.com/bin/view.pl/FAQs/MiscellaneousFAQs) FAQs.OS: FAQs.Version: