Site Navigation

Date:      Mon, 10 Feb 1997 09:43:12 -0500 (EST)
From:      Robert Shady <rls@mail.id.net>
To:        julian@whistle.com (Julian Elischer)
Cc:        rls@mail.id.net, tiller@connectnet.com, FreeBSD-Questions@freebsd.org, FreeBSD-ISP@freebsd.org
Subject:   Re: Packet filtering help please
Message-ID:  <199702101443.JAA27415@server.id.net>
In-Reply-To: <32FD37FA.41C67EA6@whistle.com> from Julian Elischer at "Feb 8, 97 06:35:38 pm"

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

> > Also remember that the numbers are the 'rules numbers', they are
> > parsed from highest to lowest, and everyone must be different.
> > In the above example, it starts our like this
> > 
> > RULE #
> > ======
> > 65536  deny ip from any to any  (Don't let ANYONE into this box by default)
> > 10000  allow ip from all to all (Now allow EVERYONE into this box by default)
> > 1000   deny ip from a.a.a.a     (Now just deny people from a.a.a.a)
> > 
> > And you could add...
> > 
> > 999    deny ip from b.b.b.b     (Now deny people from a.a.a.a & b.b.b.b)
> 
> Boy is that confusing!
> 1/ there can be more than one rule with ths same number.. ordering of
> such rules is undefined.
> 2/ the rules are parsed LOWEST to HIGHEST..
> 
> the rules are interpretted with an implied  "OTHERWISE go on to the next
> rule".
> 
> while (rules to do) {
> 	if (condition of next rule is true) {
> 		if (rule is deny)
> 			return FALSE;
> 		else	/* rule is accept */
> 			return TRUE;
> 	}
> 	rule++; /* move on to next rule */
> }
> 
> 
> in other words the set above are:
> 
> 
> 1000 If it's our pesky friend block it and go get the next packet.
> otherwise, go on to the next rule.
> 10000 Allow all packets not already thrown out.
> 65535	*never reached *

I stand corrected...

	-- Rob
===
      _/_/_/_/_/  _/_/_/_/               _/_/    _/  _/_/_/_/_/  _/_/_/_/_/
         _/      _/      _/    _/_/_/   _/  _/  _/  _/_/_/_/        _/
   _/_/_/_/_/  _/_/_/_/               _/      _/  _/_/_/_/_/      _/

                             Innovative Data Services 
                          Serving South-Eastern Michigan 
        Internet Service Provider / Hardware Sales / Consulting Services
       Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702101443.JAA27415>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact