From owner-freebsd-questions  Tue Apr  9 12:11:28 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from exchmx2.lsuhsc.edu (exchmx2.lsuhsc.edu [155.58.212.90])
	by hub.freebsd.org (Postfix) with ESMTP id 9B88337B405
	for <freebsd-questions@freebsd.org>; Tue,  9 Apr 2002 12:11:19 -0700 (PDT)
Received: by exchmx2.lsuhsc.edu with Internet Mail Service (5.5.2653.19)
	id <2H7J42LS>; Tue, 9 Apr 2002 14:11:07 -0500
Message-ID: <DAC809EAC7E4594AA0696EF512F6ABF10AA7388E@sh-exch>
From: "Mire, John" <jmire@lsuhsc.edu>
To: "'cravey@hal-pc.org'" <cravey@hal-pc.org>,
	"Mire, John" <jmire@lsuhsc.edu>
Cc: freebsd-questions@freebsd.org
Subject: RE: ipfw config to only allow gif tunnels.
Date: Tue, 9 Apr 2002 14:07:56 -0500 
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I guess I missing something, because the gif interfaces have to exist either
by cloning or by creating them and I use a similiar rule to allow gif
interface traffic to traverse my firewall regardless of the ipaddresses
associated with them. Without it the gif (ipip) traffic gets blocked. The
other thing to do is use the protocol number: 
ipip    94      IPIP            # Yet Another IP encapsulation
encap   98      ENCAP           # Yet Another IP encapsulation

I'm betting on 94 and write the rule something like:

ipfw add 00122 allow 94 from a.b.c.d to me 
ipfw add 00124 allow 94 from me to a.b.c.d 

you could even add granularity by specifying the interface, etc...


-----Original Message-----
From: cravey@hal-pc.org [mailto:cravey@hal-pc.org]
Sent: Tuesday, April 09, 2002 1:46 PM
To: jmire@lsuhsc.edu
Cc: freebsd-questions@freebsd.org
Subject: RE: ipfw config to only allow gif tunnels.


Sorry, that doesn't seem to work unless you're trying to firewall the
traffic
coming down the tunnel with the tunnel already established. Any other
suggestions? 

Thanks.

-Stephen


> try something like:
> 
> ipfw add 00122 allow ip from a.b.c.d to me via gif0
> ipfw add 00124 allow ip from me to a.b.c.d via gif0
> 
> -- 
> John Mire: jmire@lsuhsc.edu                Network Administration
> 318-675-5434              LSU Health Sciences Center - Shreveport
> 
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message