From owner-freebsd-questions Wed Feb 26 10:51:56 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA25511 for questions-outgoing; Wed, 26 Feb 1997 10:51:56 -0800 (PST) Received: from cold.org (cold.org [206.81.134.103]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA25503 for ; Wed, 26 Feb 1997 10:51:52 -0800 (PST) Received: from localhost (brandon@localhost) by cold.org (8.8.5/8.8.3) with SMTP id LAA03197 for ; Wed, 26 Feb 1997 11:51:50 -0700 (MST) Date: Wed, 26 Feb 1997 11:51:50 -0700 (MST) From: Brandon Gillespie To: freebsd-questions@freebsd.org Subject: ipfw rules problems (NOT operator?) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I have need for a 'not' operator with ipfw--or at least I do based off my minimal knowledge of ipfw rules (from the man pages) and what I need. To explain... My network topology uses two 'walls': : | Internet => : => Local Network => | => Secure Network : | Cleanwall Firewall Basically, the cleanwall is just our Cisco router, which is setup to deny spoofing and to drop anything from 192.168.0 on the floor. Most of the workstations in the building are on the Local network. The secure network will contain our database systems. I'm working on setting up a FreeBSD box as the Firewall. I want the firewall to deny all packets that are NOT from our IP domain (206.81.134.0). I was hoping for a rule with ipfw (and I couldn't find it) like: ipfw add deny all NOT from ${onet}:${omask} to any from ${oif} An alternative I have considered is to simply allow any from $onet, and deny everything else--but this rule would drop it out immediately, so I couldn't further filter based on protocol and port. Help? Suggestions? Hack ipfw? -Brandon Gillespie