From owner-freebsd-ipfw@FreeBSD.ORG Mon Jan 19 00:42:23 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 460DE1065670 for ; Mon, 19 Jan 2009 00:42:23 +0000 (UTC) (envelope-from kim@tinker.com) Received: from mail2.tinker.com (2-55-228-66.tinker.com [66.228.55.2]) by mx1.freebsd.org (Postfix) with ESMTP id 27B508FC16 for ; Mon, 19 Jan 2009 00:42:22 +0000 (UTC) (envelope-from kim@tinker.com) Received: from sneffels.tinker.com (204.16.225.169.tinker.com [204.16.225.169]) by mail2.tinker.com (Postfix) with ESMTP id 3A10B873A9E; Sun, 18 Jan 2009 18:42:20 -0600 (CST) Message-Id: From: Kim Shrier To: fbsdmail@dnswatch.com In-Reply-To: <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v930.3) Date: Sun, 18 Jan 2009 17:42:19 -0700 References: <1528c4e04e7e0d186cf8a9d9c4974ad6.dnswclient@webmail.dnswatch.com> <4A2B0C19-799B-4C09-A887-8FDC6AE0B019@tinker.com> <581b3767ad793d5bce046a42f6516798.dnswclient@webmail.dnswatch.com> X-Mailer: Apple Mail (2.930.3) Cc: freebsd-ipfw@freebsd.org Subject: Re: possible to block one address on all ports? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2009 00:42:23 -0000 On Jan 18, 2009, at 4:28 PM, fbsdmail@dnswatch.com wrote: > Greetings Kim, and thank you very much for such a concise overview... > ... snip ... > > I find I'm only left with one question; > If my box is assigned an internet routable IP (not a private IP), > which address should take precedence? In other words, knowing that > IPFW works "top down", or "first match". How would/should I add my > internet routable IP (assuming I should). Or should I simply replace > 127.0.0.1 with my internet routable IP as shown in your example? > > I see you have posted another reply. I'll see if you've already > addressed my question in that reply. :) > > Thank you again for taking the time to be so helpful. > > Best wishes. > > --Chris > You don't need to do anything for your routable IP address. Packets going to and coming from that IP will be matched by rule 65000 and go on through the filter. Also, you don't want to change rules 100 through 300 regardless of the IP address of your interface. I don't know what you are doing with your machine but you can look at the rules inserted by the WORKSTATION or SIMPLE firewall configurations to see how to do more sophisticated filtering. I also recommend the book, "Building Internet Firewalls" by Chapman and Zwicky to learn more about packet filtering. Kim -- Kim Shrier - principal, Shrier and Deihl - mailto:kim@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/