From owner-freebsd-questions  Sat Feb  8 16:05:23 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id QAA08757
          for questions-outgoing; Sat, 8 Feb 1997 16:05:23 -0800 (PST)
Received: from mail.id.net (mail.id.net [199.125.1.6])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA08743;
          Sat, 8 Feb 1997 16:05:19 -0800 (PST)
Received: from server.id.net (server.id.net [199.125.2.20]) by mail.id.net (8.7.5/ID-Net) with ESMTP id TAA10286; Sat, 8 Feb 1997 19:12:44 -0500 (EST)
From: Robert Shady <rls@mail.id.net>
Received: (from rls@localhost) by server.id.net (8.8.2/8.7.3) id TAA06715; Sat, 8 Feb 1997 19:05:58 -0500 (EST)
Message-Id: <199702090005.TAA06715@server.id.net>
Subject: Re: Packet filtering help please
In-Reply-To: <32FCF895.59E2B600@whistle.com> from Julian Elischer at "Feb 8, 97 02:05:09 pm"
To: julian@whistle.com (Julian Elischer)
Date: Sat, 8 Feb 1997 19:05:57 -0500 (EST)
Cc: tiller@connectnet.com, FreeBSD-Questions@freebsd.org,
        FreeBSD-ISP@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> > this will add to my system.  Also,
> > where can I find more info on how to construct rules? 
> > (Beyond the man pages.)
> > I will be doing this all remotely, so getting it right the first time is
> > essential.
> 
> add the following code to the rc file 
> ipfw add 10000  allow ip from all to all
> ipfw add 1000   deny ip from {his address}
> 
> 
> that should about do it..
> remember that the default rule is:
> ipfw add 65536 deny ip from any to any
> 
> so you need to add the allow rule above via /etc/rc
> because you won't be able to get to the box to do it by hand :)

Also remember that the numbers are the 'rules numbers', they are
parsed from highest to lowest, and everyone must be different.
In the above example, it starts our like this

RULE #
======
65536  deny ip from any to any  (Don't let ANYONE into this box by default)
10000  allow ip from all to all (Now allow EVERYONE into this box by default)
1000   deny ip from a.a.a.a     (Now just deny people from a.a.a.a)

And you could add...

999    deny ip from b.b.b.b     (Now deny people from a.a.a.a & b.b.b.b)

etc.

	-- Rob
===
      _/_/_/_/_/  _/_/_/_/               _/_/    _/  _/_/_/_/_/  _/_/_/_/_/
         _/      _/      _/    _/_/_/   _/  _/  _/  _/_/_/_/        _/
   _/_/_/_/_/  _/_/_/_/               _/      _/  _/_/_/_/_/      _/

                             Innovative Data Services 
                          Serving South-Eastern Michigan 
        Internet Service Provider / Hardware Sales / Consulting Services
       Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net