From owner-freebsd-stable Thu Feb 15 6: 9:55 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ultrakill.noc.demon.net (ultrakill.noc.demon.net [195.11.55.73]) by hub.freebsd.org (Postfix) with ESMTP id 70C2237B401 for ; Thu, 15 Feb 2001 06:09:52 -0800 (PST) Received: from chrise by ultrakill.noc.demon.net with local (Exim 3.20 #1) id 14TP6T-000P2k-00; Thu, 15 Feb 2001 14:09:49 +0000 Date: Thu, 15 Feb 2001 14:09:49 +0000 From: Chris Elsworth To: Simon Loader Cc: stable@FreeBSD.ORG Subject: Re: ipfw query.. Message-ID: <20010215140949.A96244@demon.net> References: <20010215130342.A95395@demon.net> <20010215135309.A23654@rug-rats.org> <3A8BE217.7AF6BFBD@herculeez.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A8BE217.7AF6BFBD@herculeez.com>; from simon@herculeez.com on Thu, Feb 15, 2001 at 02:05:11pm +0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 15, 2001 at 02:05:11pm +0000, Simon Loader wrote: > Bradley Kite wrote: > > > > I'm sure there is a flag you can append to the end of > > the pipe rules, that tell ipfw to continue going through the rules > > instead of stopping when they match. > > > > I cant remember what the flag is tho, sorry :-( > > > > > > > I'm sure I'm doing something really fundamentally wrong here, but if I do > > > this with ipfw: > > > > > > > > > 00300 0 0 pipe 15 ip from any to 195.11.8.227 > > > 00400 0 0 pipe 20 ip from 195.11.8.227 to any > > > > > > and then later on: > > > > > > 03000 0 0 unreach host tcp from any to 195.11.8.227 3306 > > > > > couldnt you move rule 3000 to 290 or something ? > > Or prehaps you havent a ceratin reason for this order ? Here's the order I do it in.. >-- pipes first - I was planning to do everything so I could count it and bandwidth limit it deny anything appearing to come from RFC1918 ranges deny any ports I specifically don't want people to see like 3306 deny any source IPs I specifically don't want to let in allow selected priviledged ports (ssh, smtp, et al) allow selected outbound accesses (tho this is paranoid and could go) deny everything else >-- If I don't put the pipes first then I can't bandwidth limit, because when the packets go through one of the allow rules, to, say, sshd - then they'll never see the pipe and won't get limited or counted. So the pipes have to come first.. -- Chris Elsworth tel: 020 8371 1041 _ . Systems Administrator mob: 07968 324 693 demon @ thus . . Web & Hosting Team chrise@demon.net http://www.demon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message