From owner-freebsd-questions Mon Feb 21 11:56:13 2000 Delivered-To: freebsd-questions@freebsd.org Received: from hydrant.intranova.net (hydrant.intranova.net [209.201.95.10]) by hub.freebsd.org (Postfix) with SMTP id 7D81E37B548 for ; Mon, 21 Feb 2000 11:56:03 -0800 (PST) (envelope-from oogali@intranova.net) Received: (qmail 6918 invoked from network); 21 Feb 2000 19:56:04 -0000 Received: from localhost (user53474@127.0.0.1) by hydrant.intranova.net with SMTP; 21 Feb 2000 19:56:04 -0000 Date: Mon, 21 Feb 2000 14:56:04 -0500 (EST) From: Omachonu Ogali To: Doug Barton Cc: Mark Stout , freebsd-questions@FreeBSD.ORG Subject: Re: Reading rules in IPFW In-Reply-To: <38B0E408.BEBB049D@gorean.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Sorry, but both of your rulesets are incorrect. Use these: ipfw add permit log tcp from 209.13.14.0/24 to 209.60.152.2 23 setup in ipfw add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 setup in ipfw add permit log tcp from any to 209.60.152.2 80 setup in ipfw add permit log tcp from any to 209.60.152.2 21 setup in ipfw add permit log tcp from 209.60.152.2 to any out ipfw add permit log tcp from any to any established ipfw add deny log ip from any to any On Sun, 20 Feb 2000, Doug Barton wrote: > Mark Stout wrote: > > > I wrote some rules for IPFW that work as intended as long as I keep the > > default "allow ip from any to any" as the last rule. If I make it "deny ip > > from any to any" as the last rule my previous rules that once worked now > > doesn't. Nobody can get in. This seems right. > > > > Here's a sampling of the rules I have that work. > > > > 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 > > 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 > > 100 add permit log tcp from any to 209.60.152.2 80 > > 100 add permit log tcp from any to 209.60.152.2 21 > > 100 add deny log tcp from any to 209.60.152.2 23 > > ... > > 65535 allow ip from any to any > > > > I allow access to Telnet from any host on network 209.13.14.0 > > I allow access to Telnet from any host on network 209.13.15.0 > > I allow HTTP from anyone > > I allow FTP from anyone > > I then deny Telnet from everyone else > > > > The default rule #65535 allows everything else in. Now, where I keep these > > same rules but change 65535 to deny ip from any to any, then nothing is > > allowed in, not HTTP or FTP. > > > > Does IPFW stop at the first match or does it continue through the rest of > > the rules? > > Barring any special rules, it operates on a first match principle. > Although technically you can make multiple rules with the same number, it's > not a good idea. Also, you're not supposed to change rule 65535, I'm not > even sure you can, or what would happen if you try. I would try the > following list: > > 1000 add permit log tcp from any to 209.60.152.2 80 > > 2000 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 > 2001 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 > > 3000 add permit log tcp from any to 209.60.152.2 21 > > 9000 add deny log tcp from any to 209.60.152.2 23 > > 65000 add deny ip from any to any > > Of course this assumes that you have proper entries elsewhere for your > loopback, etc. If these rules don't work, please send the output of 'ipfw > show' to the list. > > Good luck, > > Doug > -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali@intranova.net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message