Date: Thu, 27 Feb 1997 09:31:35 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: brandon@cold.org (Brandon Gillespie) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) Message-ID: <199702271731.JAA08518@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.95.970227090145.5190A-100000@cold.org> from "Brandon Gillespie" at Feb 27, 97 09:05:59 am
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote: > > > then write those rules and do not write an "allow all from > > ${onet}:${omask} to any" rule. > > > > how about telling us what effect you want? for instance > > allow telnet from the inside to ___, but no incoming telnet > > connections. allow pasv ftp. dont allow any icmp. etc... > > I did :b But I'll do again: > > Cleanwall Firewall > : | > Internet => : => Localnet => | => Securenet > : 206.81.134.0 | 192.168.1.0 > : | > > I want the Firewall (FreeBSD) to _only_ allow telnet, dns and lp/lpr > (npp?) from the outside in--furthermore I want it to ONLY allow tcp > packets from 206.81.134.0. Same goes for the inside out, except for with ahh....i'm sorry, i missed the list (telnet dns lp). must be getting old ;) the 6 rules below should allow telnet, dns, and lpr from the Localnet to the Securenet (and allow teh Securenet to respond to the Localnet) # the next 6 rules handle connections from Localnet -> Securenet # allow telnet from Localnet to Securenet (incl. connection setup) # and allow the Securenet to respond to telnet packets from Localnet ipfw add allow tcp from 206.81.134/24 to 192.168.1/24 telnet ipfw add allow tcp from 192.168.1/24 telnet to 206.81.134/24 established # allow lpr from Localnet to Securenet # and allow Securenet to rspond to lpr requests from Localnet ipfw add allow ip from 206.81.134/24 to 192.168.1/24 printer ipfw add allow ip from 192.168.1/24 printer to 206.81.134/24 # allow dns queries from Localnet to Securenet # and allow Securenet to rspond to dns queries from Localnet ipfw add allow ip from 206.81.134/24 to 192.168.1/24 domain ipfw add allow ip form 192.168.1/24 domain to 206.81.134/24 # the next 6 rules handle connection from Securenet to Localnet ipfw add allow tcp from 192.168.1/24 to 206.81.134/24 telnet ipfw add allow tcp from 206.81.134/24 telnet to 192.168.1/24 established ipfw add allow ip from 192.168.1/24 to 206.81.134/24 printer ipfw add allow ip from 206.81.134/24 printer to 192.168.1/24 ipfw add allow ip from 192.168.1/24 to 206.81.134/24 domain ipfw add allow ip from 206.81.134/24 domain to 192.168.1/24 you said above "furthermore I want it to ONLY allow tcp packets from 206.81.134.0." is this *in*addition*to* telnet dns and lpr? or a restriction upon dns and lpr (either do/can use udp in additional to tcp) # allow ONLY tcp packets, all tcp packets from Localnet to Securenet ipfw add allow tcp from 206.81.134/24 to 192.168.1/24 ipfw add allow tcp from 192.168.1/24 to 206.81.134/24 is you use the 2 rules above you can get rid of the rules with "tcp" and "telnet" in them, these two are a superset you can add "via" to these rules to harden them if you wish. jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702271731.JAA08518>