Date: Sun, 20 Feb 2000 23:06:48 -0800 From: Doug Barton <Doug@gorean.org> To: Mark Stout <mcs@vpm.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Reading rules in IPFW Message-ID: <38B0E408.BEBB049D@gorean.org> References: <4.2.0.58.20000220213559.021b4380@mail.vpm.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Stout wrote:
> I wrote some rules for IPFW that work as intended as long as I keep the
> default "allow ip from any to any" as the last rule. If I make it "deny ip
> from any to any" as the last rule my previous rules that once worked now
> doesn't. Nobody can get in. This seems right.
>
> Here's a sampling of the rules I have that work.
>
> 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23
> 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23
> 100 add permit log tcp from any to 209.60.152.2 80
> 100 add permit log tcp from any to 209.60.152.2 21
> 100 add deny log tcp from any to 209.60.152.2 23
> ...
> 65535 allow ip from any to any
>
> I allow access to Telnet from any host on network 209.13.14.0
> I allow access to Telnet from any host on network 209.13.15.0
> I allow HTTP from anyone
> I allow FTP from anyone
> I then deny Telnet from everyone else
>
> The default rule #65535 allows everything else in. Now, where I keep these
> same rules but change 65535 to deny ip from any to any, then nothing is
> allowed in, not HTTP or FTP.
>
> Does IPFW stop at the first match or does it continue through the rest of
> the rules?
Barring any special rules, it operates on a first match principle.
Although technically you can make multiple rules with the same number, it's
not a good idea. Also, you're not supposed to change rule 65535, I'm not
even sure you can, or what would happen if you try. I would try the
following list:
1000 add permit log tcp from any to 209.60.152.2 80
2000 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23
2001 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23
3000 add permit log tcp from any to 209.60.152.2 21
9000 add deny log tcp from any to 209.60.152.2 23
65000 add deny ip from any to any
Of course this assumes that you have proper entries elsewhere for your
loopback, etc. If these rules don't work, please send the output of 'ipfw
show' to the list.
Good luck,
Doug
--
"Welcome to the desert of the real."
- Laurence Fishburne as Morpheus, "The Matrix"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38B0E408.BEBB049D>