From owner-freebsd-questions Thu Feb 27 09:32:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA08590 for questions-outgoing; Thu, 27 Feb 1997 09:32:02 -0800 (PST) Received: (from jmb@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA08518; Thu, 27 Feb 1997 09:31:35 -0800 (PST) From: "Jonathan M. Bresler" Message-Id: <199702271731.JAA08518@freefall.freebsd.org> Subject: Re: ipfw rules problems (NOT operator?) To: brandon@cold.org (Brandon Gillespie) Date: Thu, 27 Feb 1997 09:31:35 -0800 (PST) Cc: freebsd-questions@freebsd.org In-Reply-To: from "Brandon Gillespie" at Feb 27, 97 09:05:59 am X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Brandon Gillespie wrote: > > > then write those rules and do not write an "allow all from > > ${onet}:${omask} to any" rule. > > > > how about telling us what effect you want? for instance > > allow telnet from the inside to ___, but no incoming telnet > > connections. allow pasv ftp. dont allow any icmp. etc... > > I did :b But I'll do again: > > Cleanwall Firewall > : | > Internet => : => Localnet => | => Securenet > : 206.81.134.0 | 192.168.1.0 > : | > > I want the Firewall (FreeBSD) to _only_ allow telnet, dns and lp/lpr > (npp?) from the outside in--furthermore I want it to ONLY allow tcp > packets from 206.81.134.0. Same goes for the inside out, except for with ahh....i'm sorry, i missed the list (telnet dns lp). must be getting old ;) the 6 rules below should allow telnet, dns, and lpr from the Localnet to the Securenet (and allow teh Securenet to respond to the Localnet) # the next 6 rules handle connections from Localnet -> Securenet # allow telnet from Localnet to Securenet (incl. connection setup) # and allow the Securenet to respond to telnet packets from Localnet ipfw add allow tcp from 206.81.134/24 to 192.168.1/24 telnet ipfw add allow tcp from 192.168.1/24 telnet to 206.81.134/24 established # allow lpr from Localnet to Securenet # and allow Securenet to rspond to lpr requests from Localnet ipfw add allow ip from 206.81.134/24 to 192.168.1/24 printer ipfw add allow ip from 192.168.1/24 printer to 206.81.134/24 # allow dns queries from Localnet to Securenet # and allow Securenet to rspond to dns queries from Localnet ipfw add allow ip from 206.81.134/24 to 192.168.1/24 domain ipfw add allow ip form 192.168.1/24 domain to 206.81.134/24 # the next 6 rules handle connection from Securenet to Localnet ipfw add allow tcp from 192.168.1/24 to 206.81.134/24 telnet ipfw add allow tcp from 206.81.134/24 telnet to 192.168.1/24 established ipfw add allow ip from 192.168.1/24 to 206.81.134/24 printer ipfw add allow ip from 206.81.134/24 printer to 192.168.1/24 ipfw add allow ip from 192.168.1/24 to 206.81.134/24 domain ipfw add allow ip from 206.81.134/24 domain to 192.168.1/24 you said above "furthermore I want it to ONLY allow tcp packets from 206.81.134.0." is this *in*addition*to* telnet dns and lpr? or a restriction upon dns and lpr (either do/can use udp in additional to tcp) # allow ONLY tcp packets, all tcp packets from Localnet to Securenet ipfw add allow tcp from 206.81.134/24 to 192.168.1/24 ipfw add allow tcp from 192.168.1/24 to 206.81.134/24 is you use the 2 rules above you can get rid of the rules with "tcp" and "telnet" in them, these two are a superset you can add "via" to these rules to harden them if you wish. jmb