Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 3 May 2000 22:09:34 -0400 (EDT)
From:      Chris Hill <chris@monochrome.org>
To:        Chris Browning <brownicm@bellsouth.net>
Cc:        Database <petedonadio@mediaone.net>, freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw
Message-ID:  <Pine.BSF.3.96.1000503215655.4298A-100000@mail>
In-Reply-To: <200005040035.UAA18513@mail6.lig.bellsouth.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 3 May 2000, Chris Browning wrote:

> I'm just jumping in here but I've been playing w/ ipfw, too.

Same here :^)

> I think you want to allow the remotedeveloper_address before you
> deny everything else. 

I think you're right.

> Anything going to pub_addr2 that's *not* remdev_addr *and* tcp *and*
> on port 21 will fail the test and be passed to the deny cmd. 

In other words, the rules are applied in the order they are listed, so
the second rule in Database's list supersedes the third and fourth. 
Once "all from any to public_add2" has been denied (second rule), the
rules after that that pertain to "...to public_add2..." will be
ignored.  He could force rules to be applied in a certain order by
giving them numbers, in which case they would be applied in numerical
order. 

> If I'm wrong I'm sure any correction posted will be instructive. 

Same here again.
    
> On 3 May 00, at 19:42, Database wrote:
> 
> > The rules are as follows.
> > 
> > ipfw add allow all from any to public_add1
> > ipfw add deny all from any to public_add2
> > ipfw add allow tcp from remotedeveloper_address to public_address2/22
> > ipfw add allow tcp from remotedeveloper_address to public_address2/21
> > 
> > Do I have to add rules for natd? And is this possible?

Yes and yes. Try adding a rule like

ipfw add divert 8668 log ip from any to any via your_outside_interface
                     ^^^
Log is optional; don't do it if you don't want to. man natd and man 
ipfw for more info.

--
Chris Hill                     chris@monochrome.org
[place witty saying here]



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1000503215655.4298A-100000>