Date: Wed, 26 Feb 1997 16:24:16 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: brandon@cold.org (Brandon Gillespie) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) Message-ID: <199702270024.QAA14443@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.95.970226143851.3510A-100000@cold.org> from "Brandon Gillespie" at Feb 26, 97 02:40:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote:
>
> > Brandon,
> > it seems to me that "deny all not from ${onet}:${omask} to any"
> > is the same as "allow all from ${onet}:${omask} to any"
> >
> > why not:
> >
> > allow packets from 206.81.134.0
> > allow packets "filter based on protocol and port"
> > drop all other packets
> >
> > do i not understand what you wish to achieve?
> > in short it is not clear to me what packets you want to allow
>
> They are SORTOF equivalent, _except_ for I want to further add additional
> rules. When the packet matches 'allow all from blah' it drops out of the
> rule checking, and isn't effected anymore. This is NOT what I want--I
> want to further check for ports and protocols.
then write those rules and do not write an "allow all from
${onet}:${omask} to any" rule.
how about telling us what effect you want? for instance
allow telnet from the inside to ___, but no incoming telnet
connections. allow pasv ftp. dont allow any icmp. etc...
jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702270024.QAA14443>