Date: Fri, 11 Jan 2002 09:01:29 +0100 From: "Heimes, Rene" <rh@com-con.net> To: <listsub@rambo.simx.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: AW: AW: firewalling with ipfw Message-ID: <F54B610C5BFDE546BBA2F6CC595ACC75084A0E@exchange2000>
next in thread | raw e-mail | index | archive | help
hi rocky,
when applying your suggestion i get the following error:
ipfw: error: hostname ``A.B.C.21,A.B.C.126'' unknown
what?s wrong, what more information do you need?
-----Ursprungliche Nachricht-----
Von: Roger 'Rocky' Vetterberg [mailto:listsub@rambo.simx.org]
Gesendet: Donnerstag, 10. Januar 2002 07:36
An: Heimes, Rene
Cc: freebsd-questions@FreeBSD.ORG
Betreff: Re: AW: firewalling with ipfw
Heimes, Rene wrote:
> I do not know how "keep-state" and "skipto" can solve my problems, so
i
> give you this sample ruleset:
>=20
> ****************
> * HERE IT COMES *
> ****************
>=20
> # Low Access Clients
> ${fwcmd} add deny log all from any to A.B.C.96=09
> ${fwcmd} add pass udp from A.B.C.96 to any 53=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 80=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 443=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 80=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 443=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 80=09
> ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 443
> ${fwcmd} add pass tcp from A.B.C.96 to any 119
> ${fwcmd} add pass tcp from A.B.C.96 to any 1494
> ${fwcmd} add pass udp from A.B.C.96 to any 1604
> ${fwcmd} add pass icmp from A.B.C.96 to any icmptypes 8
> keep-state
> ${fwcmd} add pass icmp from any to A.B.C.96 icmptypes 0
> keep-state
>=20
[snip a lot of similar rules]
> ***************
> * AND THAT?S IT *
> ***************
>=20
> So you all can pitch into that piece - what can be improved here???
>=20
Why not something like this:
# Low Access Clients
LAC=3D"A.B.C.96,A.B.C.99,A.B.C.35"
${fwcmd} add deny log all from any to ${LAC}
${fwcmd} add pass udp from ${LAC} to any 53=09
${fwcmd} add pass tcp from ${LAC} to www.bahn.de 80=09
...
If a "low access client" changes ip, disappears or maybe get=20
promoted to a "high access client" :), all you need to do is=20
remove it from or edit its entry in the LAC=3D line at the top.
--
R
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F54B610C5BFDE546BBA2F6CC595ACC75084A0E>