From owner-freebsd-questions@FreeBSD.ORG Wed Feb 4 04:41:20 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2CE216A4CE for ; Wed, 4 Feb 2004 04:41:20 -0800 (PST) Received: from kifco.net (host4.kifco.net [216.65.57.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id A495C43D2F for ; Wed, 4 Feb 2004 04:41:19 -0800 (PST) (envelope-from Admin@kifco.net) Received: from kifco.net (deadline@localhost [127.0.0.1]) by kifco.net (8.12.8p1/8.12.8) with ESMTP id i148nord006510 for ; Wed, 4 Feb 2004 08:49:50 GMT (envelope-from Admin@kifco.net) From: "Marwan Sultan" To: "FreeBSD questions List" Date: Wed, 4 Feb 2004 11:49:50 +0300 Message-Id: <20040203195904.M73395@kifco.net> X-Mailer: Open WebMail X-OriginatingIP: 62.150.172.42 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: ipfw rules help. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 12:41:20 -0000 Hello everyone. Im on FreeBSD 4.8R, NATd, ipfw enabled, everything working fine. my box is behind a DSL modem router and clients behind the FreeBSD. My LAN is C class IPs. I compiled ipfw to accept by default. This is my ipfw list: 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 allow ip from any to any My Questions: a) lets say I want to deny everything except a range of IPs starting from 192.168.1.1 to 192.168.1.50. what rule set should be? how to set range of IPs? to pass and deny rest of the C class. FreeBSD Doc's doesnot cover this? or i didnot see.! b) If i want to deny everything except ip 192.168.1.5 as follow 00400 allow all from 192.168.1.5 to any 01000 deny all from any to any. when ipfw reads the rules and pass by 00400 then comes to 01000 then it denies even the 192.168.1.5, althou i put this rule before the deny ? what im missing? how should i pass 1 ip and deny all? c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE) how do we do that? is it by set a cron job to delete and add the ipfw rule? or there is something to do from the ipfw it self? D) Last Q: IF I restart the box all the rules will be reset, and comes to default. which is reasonable. How to keep it everytime I restart? do i create a file somewhere, and i tell my rc.conf for it? what the rc.conf line should be? and file format? Question out of subject, How i can do something thro cronjob to make the box Email me the log of firewall everyday on certain time, lets say 9PM ? I hope this questions will help many others, as it will help me. And Thank you very much for this list and help. -- Marwan Sultan