Date: Wed, 15 Jan 97 14:23:55 CST From: Joe Greco <jgreco@solaria.sol.net> To: ejs@bfd.com (Eric J. Schwertfeger) Cc: nate@mt.sri.com, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701152023.OAA14652@solaria.sol.net> In-Reply-To: <Pine.BSF.3.95.970115111042.1500L-100000@harlie> from "Eric J. Schwertfeger" at Jan 15, 97 11:14:32 am
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 15 Jan 1997, Nate Williams wrote:
>
> > > I just found out one thing we need in ipfw, the ability to inverse the
> > > sense of a rule:
> > >
> > > ipfw add deny not ip from 140.145.0.0 to any via ed0
> > > ipfw add deny not ip from any to 140.145.0.0 via ed1
> > > ^^^
> > > ipfw add allow tcp from any to any 23
> > > ipfw add allow tcp from any to any 25
> > > ...
> > >
> > > any takers ?
> >
> > I'm not sure I follow what you want. What exactly are you trying to do?
>
> As someone that wants something like this, I think I can answer. Quite a
> few times, I've wanted to deny everything but a certain address range, and
> then further restrict that address range.
>
> Actually, what I really want is an ipfw add skip XXX ... where if
> something matches the rule, skip all other rules below XXX (yes, I always
> number my rules:-)
That would work.
ipfw gets to be messy when you want to implement both a cleanwall and a
firewall... not messy-impossible-to-do, but messy-hard-to-understand-and-
read.
It gets very tricky to specify:
{
/* RFC1918 cleanwall */
if ( src = 10.0.0.0/8 ||
src = 127.0.0.0/8 ||
src = 172.16.0.0/12 ||
src = 192.168.0.0/16 ) then drop;
if ( dst = 10.0.0.0/8 ||
dst = 127.0.0.0/8 ||
dst = 172.16.0.0/12 ||
dst = 192.168.0.0/16 ) then drop;
/* My nets - outbound cleanwall */
if ( outbound_interface = wan0 ) && (
src != 206.55.64.0/20 &&
src != 204.95.172.0/24 &&
src != 204.95.219.0/24 ) then drop;
if ( outbound_interface = wan0 ) && (
dst = 206.55.64.0/20 ||
dst = 204.95.172.0/24 ||
dst = 204.95.219.0/24 ) then drop;
/* My nets - inbound cleanwall */
if ( inbound_interface = wan0 ) && (
src = 206.55.64.0/20 ||
src = 204.95.172.0/24 ||
src = 204.95.219.0/24 ) then drop;
if ( inbound_interface = wan0 ) && (
dst != 206.55.64.0/20 &&
dst != 204.95.172.0/24 &&
dst != 204.95.219.0/24 ) then drop;
/* My firewall rules */
etc.
}
There's a lot of logic flow in there.
... Joe
-------------------------------------------------------------------------------
Joe Greco - Systems Administrator jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701152023.OAA14652>