Date: Thu, 7 Mar 2002 12:26:48 -0600 From: chris <chris@dancingmoon-herbs.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw rules Message-ID: <E2FE487E-31F8-11D6-88F8-0003931C6896@dancingmoon-herbs.com> In-Reply-To: <20020307101905.B57408@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail-2-711186398 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote: > On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote: >> I currently have a rule that denies all traffic not from an ip range >> in. I need to open that up to allow two distinct ip ranges in. >> Obviously adding a second deny not will not allow anyone in, how do I >> do >> this? > > Add an allow rule for the first range, an allow rule for the second > range, and a "deny all rule" after both of them to catch the rest. > > Kris > I have done that as was suggested earlier by Girnet Vladimir, but run into a problem with diverting to an internal machine. $fwcmd add 2100 allow tcp from 129.130.75.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2200 allow tcp from 17.254.0.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80 # divert traffic $fwcmd add 2400 divert natd all from any to any --Apple-Mail-2-711186398 Content-Transfer-Encoding: 7bit Content-Type: text/enriched; charset=US-ASCII On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote: <excerpt>On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote: <excerpt>I currently have a rule that denies all traffic not from an ip range in. I need to open that up to allow two distinct ip ranges in. Obviously adding a second deny not will not allow anyone in, how do I do this? </excerpt> Add an allow rule for the first range, an allow rule for the second range, and a "deny all rule" after both of them to catch the rest. Kris </excerpt>I have done that as was suggested earlier by Girnet Vladimir, but run into a problem with diverting to an internal machine. <color><param>0000,0000,DEDE</param> $fwcmd add 2100 allow tcp from 129.130.75.0/24 to xxx.xxx.xxx.xxx </color>80 <color><param>0000,0000,DEDE</param> $fwcmd add 2200 allow tcp from 17.254.0.0/24 to xxx.xxx.xxx.xxx 80 $fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80 # divert traffic $fwcmd add 2400 divert natd all from any to any</color> --Apple-Mail-2-711186398-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E2FE487E-31F8-11D6-88F8-0003931C6896>