Date: Fri, 14 Jan 2000 18:15:46 +0200 From: Giorgos Keramidas <charon@hades.hell.gr> To: m <kamidesu@hotpop.com> Cc: freebsd-questions@FreeBSD.ORG, freebsd-newbies@FreeBSD.ORG Subject: Re: IPFW question Message-ID: <20000114181546.C6800@hades.hell.gr> In-Reply-To: <20000112030449.69F52639DC@zagnut.hotpop.com> References: <006a01bf5c11$6bdb5940$8b2fa8c0@wipsys.ge.com> <20000111182944.B64680@hades.hell.gr> <20000112030449.69F52639DC@zagnut.hotpop.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 11, 2000 at 10:04:49PM -0500, m wrote:
>
> If I deny ip access to an adress (10.0.0.1) that includes ALL the
> ports, of course. from 0 to 65535.
>
> And "allow all via lo0" means anything passing thru lo0 (localhost,
> 127.0.0.1) is allowed, so I can connect to anything IF I'm using Lo0,
> even to the specifically denied ip or port numbers.
If you have two interfaces, say lo0 (127.0.0.1/8) and ep0 (10.0.0.1/8)
then when you try to connect to a host in the 10.0.0.0/8 network, the
source address in the packet will be 10.0.0.1, and your rules will
filter it out.
To allow outgoing tcp connections from an interface do not drop all
packets from it. There are some good examples in the rc.firewall
script that will help you build the rules. The general case of
allowing only incoming TCP connections on an interface is roughly:
# pass packets of previously established connections
add pass tcp from any to any via IFACE established
# allow setup of outgoing TCP connections
add pass tcp from any to any out xmit IFACE setup
or something along these lines.
Ciao.
--
Giorgos Keramidas, < keramida @ ceid . upatras . gr >
"What we have to learn to do, we learn by doing." [Aristotle]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000114181546.C6800>