Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 18 Jan 2009 17:42:19 -0700
From:      Kim Shrier <>
Subject:   Re: possible to block one address on all ports?
Message-ID:  <>
In-Reply-To: <>
References:  <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Jan 18, 2009, at 4:28 PM, wrote:

> Greetings Kim, and thank you very much for such a concise overview...

... snip ...

> I find I'm only left with one question;
> If my box is assigned an internet routable IP (not a private IP),
> which address should take precedence? In other words, knowing that
> IPFW works "top down", or "first match". How would/should I add my
> internet routable IP (assuming I should). Or should I simply replace
> with my internet routable IP as shown in your example?
> I see you have posted another reply. I'll see if you've already
> addressed my question in that reply. :)
> Thank you again for taking the time to be so helpful.
> Best wishes.
> --Chris

You don't need to do anything for your routable IP address. Packets
going to and coming from that IP will be matched by rule 65000 and
go on through the filter.  Also, you don't want to change rules 100
through 300 regardless of the IP address of your interface.

I don't know what you are doing with your machine but you can look
at the rules inserted by the WORKSTATION or SIMPLE firewall
configurations to see how to do more sophisticated filtering. I also
recommend the book, "Building Internet Firewalls" by Chapman and Zwicky
to learn more about packet filtering.

  Kim Shrier - principal, Shrier and Deihl -
Remote Unix Network Admin, Security, Internet Software Development
   Tinker Internet Services - Superior FreeBSD-based Web Hosting

Want to link to this message? Use this URL: <>