From owner-freebsd-questions Sat Jun 23 12:44:15 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131]) by hub.freebsd.org (Postfix) with ESMTP id 2147C37B401 for ; Sat, 23 Jun 2001 12:44:11 -0700 (PDT) (envelope-from ryan@sasknow.com) Received: from localhost (ryan@localhost) by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id NAA67592; Sat, 23 Jun 2001 13:43:49 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Sat, 23 Jun 2001 13:43:49 -0600 (CST) From: Ryan Thompson To: "Ing. Guillermo R. Martinez Hernandez" Cc: freebsd-questions@freebsd.org Subject: RE: I need firewalled a Net . In-Reply-To: <001001c0fc0c$e1ff83c0$0290fea9@v2e6x5> Message-ID: Organization: SaskNow Technologies [www.sasknow.com] MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ing. Guillermo R. Martinez Hernandez wrote to Ryan Thompson: > > > I need firewall a Net example > > > > > > 200.34.46.0 to 200.34.46.255 in class "A" or " B" > > > > > > Thanks !!! > > > > Ok. I think we need a bit more information. > > > > 200.34.46.0 to 200.34.46.255 is a class "C" network. > > > > What are you trying to firewall? Or do you merely want to set up a gate= way > > as an open firewall for now? > > > > Will the firewall be in this block of addresses, or will it multihome > > another network? > > > > Do you need this entire subnet behind the firewall? > > > > Have you decided on firewall software? (for example, ipfw) > > > > - Ryan >=20 > Thanks !! >=20 > Ryan >=20 > Excuse My English please :-) >=20 > I have runing ipfw software and I need a roule that allow 1 block of IP > address and deny all If ipfw is in the "default deny" state (in other words, anything that is not allowed is denied), the last rule you should have (and this can not be changed) is: =0965535 deny ip from any to any So, now you just need a rule to allow traffic from this netblock: > > > 200.34.46.0 to 200.34.46.255 in class "A" or " B" try this: =09/sbin/ipfw add 1000 allow ip from any to 200.34.46.0/24 =09/sbin/ipfw add 1100 allow ip from 200.34.46.0/24 to any > I need allow to Mensager of AOL and deny all www, My problem is that > AOL have to Many IP=B4s > > and is dificult know how IP=B4s use. You can allow or deny individual services like this: =09ipfw add 200 deny ip from any to any 80 Stops ALL www traffic. (Since this is rule 200, it is before rule 1000 (above), and therefore even blocks WWW traffic on the /24 network). To allow AOL instant messenger, you shouldn't have to allow access to all of AOL's servers (that's a bad idea anyway.. then you're restricting the addresses.. not the protocols. And, as you say, AOL has way to many addresses to find and specify).=20 If I'm right, 5190 is the port used by AOL instant messenger: =09ipfw add 200 allow tcp from any to any 5190 =09ipfw add 210 allow udp from any to any 5190 This is rather general... you might want to restrict which machines or subnets on the local network can use AIM, but with a little bit of firewall knowledge, this should get you on the right track. =20 > Guillermo ( Willam ) >=20 Hope this helps, - Ryan --=20 Ryan Thompson Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message