Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 7 Mar 2002 12:26:48 -0600
From:      chris <chris@dancingmoon-herbs.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw rules
Message-ID:  <E2FE487E-31F8-11D6-88F8-0003931C6896@dancingmoon-herbs.com>
In-Reply-To: <20020307101905.B57408@xor.obsecurity.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail-2-711186398
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed


On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote:

> On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote:
>> I currently have a rule that denies all traffic not from an ip range
>> in.  I need to open that up to allow two  distinct ip ranges in.
>> Obviously adding a second deny not will not allow anyone in, how do I 
>> do
>> this?
>
> Add an allow rule for the first range, an allow rule for the second
> range, and a "deny all rule" after both of them to catch the rest.
>
> Kris
>
I have done that as was suggested earlier by Girnet Vladimir, but run 
into a problem with diverting to an internal machine.

	$fwcmd add 2100 allow tcp from  129.130.75.0/24 to xxx.xxx.xxx.xxx 80
	$fwcmd add 2200 allow tcp from 17.254.0.0/24 to xxx.xxx.xxx.xxx 80
	$fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80
# divert traffic
	$fwcmd add 2400 divert natd all from any to any

--Apple-Mail-2-711186398
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII


On Thursday, March 7, 2002, at 12:19 PM, Kris Kennaway wrote:


<excerpt>On Thu, Mar 07, 2002 at 09:33:40AM -0600, chris wrote:

<excerpt>I currently have a rule that denies all traffic not from an
ip range 

in.  I need to open that up to allow two  distinct ip ranges in.   

Obviously adding a second deny not will not allow anyone in, how do I
do 

this?

</excerpt>

Add an allow rule for the first range, an allow rule for the second

range, and a "deny all rule" after both of them to catch the rest.


Kris

 

</excerpt>I have done that as was suggested earlier by Girnet
Vladimir, but run into a problem with diverting to an internal machine.


<color><param>0000,0000,DEDE</param>	$fwcmd add 2100 allow tcp from 
129.130.75.0/24 to xxx.xxx.xxx.xxx </color>80

<color><param>0000,0000,DEDE</param>	$fwcmd add 2200 allow tcp from
17.254.0.0/24 to xxx.xxx.xxx.xxx 80

	$fwcmd add 2300 deny tcp from any to xxx.xxx.xxx.xxx 80

# divert traffic

	$fwcmd add 2400 divert natd all from any to any</color>


--Apple-Mail-2-711186398--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E2FE487E-31F8-11D6-88F8-0003931C6896>