From owner-freebsd-questions Thu Mar 7 10:27: 9 2002 Delivered-To: freebsd-questions@freebsd.org Received: from luna.dancingmoon-herbs.com (tpk-ppp-f132.networksplus.net [199.240.187.132]) by hub.freebsd.org (Postfix) with ESMTP id 1A2E137B41E for ; Thu, 7 Mar 2002 10:26:53 -0800 (PST) Received: from localhost (tc-207-41-76-29.tctelco.net [207.41.76.29]) by luna.dancingmoon-herbs.com (8.11.6/8.11.6) with ESMTP id g27IerK85800 for ; Thu, 7 Mar 2002 12:40:54 -0600 (CST) (envelope-from chris@dancingmoon-herbs.com) Date: Thu, 7 Mar 2002 12:26:48 -0600 Subject: Re: ipfw rules Content-Type: multipart/alternative; boundary=Apple-Mail-2-711186398 Mime-Version: 1.0 (Apple Message framework v481) From: chris To: freebsd-questions@FreeBSD.ORG In-Reply-To: <20020307101905.B57408@xor.obsecurity.org> Message-Id: X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --Apple-Mail-2-711186398 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote: > On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote: >> I currently have a rule that denies all traffic not from an ip range >> in. I need to open that up to allow two distinct ip ranges in. >> Obviously adding a second deny not will not allow anyone in, how do I >> do >> this? > > Add an allow rule for the first range, an allow rule for the second > range, and a "deny all rule" after both of them to catch the rest. > > Kris > I have done that as was suggested earlier by Girnet Vladimir, but run into a problem with diverting to an internal machine. $fwcmd add 2100 allow tcp from 129.130.75.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2200 allow tcp from 17.254.0.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80 # divert traffic $fwcmd add 2400 divert natd all from any to any --Apple-Mail-2-711186398 Content-Transfer-Encoding: 7bit Content-Type: text/enriched; charset=US-ASCII On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote: On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote: I currently have a rule that denies all traffic not from an ip range in. I need to open that up to allow two distinct ip ranges in. Obviously adding a second deny not will not allow anyone in, how do I do this? Add an allow rule for the first range, an allow rule for the second range, and a "deny all rule" after both of them to catch the rest. Kris I have done that as was suggested earlier by Girnet Vladimir, but run into a problem with diverting to an internal machine. 0000,0000,DEDE $fwcmd add 2100 allow tcp from 129.130.75.0/24 to xxx.xxx.xxx.xxx 80 0000,0000,DEDE $fwcmd add 2200 allow tcp from 17.254.0.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80 # divert traffic $fwcmd add 2400 divert natd all from any to any --Apple-Mail-2-711186398-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message