Date: Tue, 25 Feb 1997 13:22:11 -0700 (MST) From: Brandon Gillespie <brandon@glacier.cold.org> To: freebsd-questions@freebsd.org Subject: Firewall setup questions (ipfw rule ordering) Message-ID: <Pine.NEB.3.95.970225131303.10320A-100000@glacier.cold.org>
next in thread | raw e-mail | index | archive | help
I'm working on setting up a firewall and I'm running into some problems with my limited knowledge of ipfw. Assuming the 'simple' firewall rules set I also want the following 'equivalent' rule: ipfw add deny all NOT from ${onet}:${omask} to any via ${oif} Basically, I'm working on setting up my network with two walls: internet | - - - - router/cleanwall - - - - - | local network | - - - - - firewall - - - - - | secure network Where the first (router) is basically a 'cleanwall' in that it guarantee's no spoofing and it also drops packets from 192.168.* addresses. The localnet will all be on our on Class C network. Everything on the secure side of the firewall will be on the 192.168.* address domain, and the firewall will ONLY allow packets from our IP domain from the outside in, and on the same hand it will only allow 192.168.* addresses from the inside out. Unfortunately, to the best of my knowledge (and the man page) it looks like ipfw's rules only restrict specific cases, and not the inverse (i.e. all BUT this case).. or am I mistaken? I was thinking I could do: ipfw allow all from ${onet}:${omask} to any in via {$oif} Then simply let everythign else be denied--but when 'allow' is matched it stops checking the rules, so I can't add additional rules for what ports and networking protocols can be passed over the firewall.. Help? -Brandon Gillespie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.970225131303.10320A-100000>