Date: Wed, 26 Feb 1997 13:03:34 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: brandon@cold.org (Brandon Gillespie) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) Message-ID: <199702262103.NAA03088@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.95.970226114513.3174A-100000@cold.org> from "Brandon Gillespie" at Feb 26, 97 11:51:50 am
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote:
>
> I have need for a 'not' operator with ipfw--or at least I do based off my
> minimal knowledge of ipfw rules (from the man pages) and what I need. To
> explain... My network topology uses two 'walls':
>
> : |
> Internet => : => Local Network => | => Secure Network
> : |
> Cleanwall Firewall
>
> Basically, the cleanwall is just our Cisco router, which is setup to deny
> spoofing and to drop anything from 192.168.0 on the floor. Most of the
> workstations in the building are on the Local network. The secure network
> will contain our database systems. I'm working on setting up a FreeBSD
> box as the Firewall. I want the firewall to deny all packets that are NOT
> from our IP domain (206.81.134.0). I was hoping for a rule with ipfw (and
> I couldn't find it) like:
>
> ipfw add deny all NOT from ${onet}:${omask} to any from ${oif}
>
> An alternative I have considered is to simply allow any from $onet, and
> deny everything else--but this rule would drop it out immediately, so I
> couldn't further filter based on protocol and port.
Brandon,
it seems to me that "deny all not from ${onet}:${omask} to any"
is the same as "allow all from ${onet}:${omask} to any"
why not:
allow packets from 206.81.134.0
allow packets "filter based on protocol and port"
drop all other packets
do i not understand what you wish to achieve?
in short it is not clear to me what packets you want to allow
jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702262103.NAA03088>