From owner-freebsd-questions@FreeBSD.ORG Tue Mar 18 08:56:09 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CBFEE140 for ; Tue, 18 Mar 2014 08:56:09 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 4EEC4DB1 for ; Tue, 18 Mar 2014 08:56:08 +0000 (UTC) Received: from [192.168.1.35] (host86-150-244-178.range86-150.btcentralplus.com [86.150.244.178]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id s2I8u6q3051413 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO) for ; Tue, 18 Mar 2014 08:56:06 GMT (envelope-from frank2@fjl.co.uk) Message-ID: <53280A29.2040902@fjl.co.uk> Date: Tue, 18 Mar 2014 08:56:09 +0000 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Controlling WAN access using natd/ipfw References: <5326FA3B.7080006@fjl.co.uk> In-Reply-To: <5326FA3B.7080006@fjl.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Mar 2014 08:56:09 -0000 No one? I'll drive there later today and try the options safely. Regards, Frank. On 17/03/2014 13:35, Frank Leonhardt wrote: > I can see a few strategies for doing this, but as I'm about to change > a firewall remotely I'd rather have a definitive working example for > obvious reasons... :-) > > The setup is simple. natd and ipfw are currently sharing a public /29 > with a private /24. Everything on the LAN can currently do anything > likes through the gateway. > > I want to stop anything on the LAN between 192.168.1.50 and > 192.168.1.100 (for example) from getting through the gateway (they can > use the proxy). Everything else should be business as usual. > > Current ipfw script is: > > /sbin/ipfw add divert natd all from any to any via rl0 > /sbin/ipfw add pass all from any to any > > Which, as a sanity check, leads to: > > 00100 divert 8668 ip from any to any via rl0 > 00200 allow ip from any to any > 65535 deny ip from any to any > > I'm having a brain storm here. Should rule 50 be "deny ip from > 192.168.1.50-192.168.1.100 to any" > > I don't even know if it'll buy that kind of IP address list (I suspect > not). I know it does CIDR but the range doesn't suit, or a table > (which I've never used before, but if I've got the syntax I might just > as well add multiple rules as table entries in this case). And I'm > completely not sure about what natd does to all of this - never been > there before. > > So - can anyone tell me EXACTLY the line I need? It's four hours of > driving if I get it wrong... > > As a supplementary questions, presumably I can add a port number after > the source specification to block individual ports? > > Thanks, Frank. >