Date: Mon, 1 Jul 2002 07:36:09 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: ???? ??????? <ilia@chel.skbkontur.ru> Cc: questions@FreeBSD.ORG Subject: Re: ipfw: broadcast thing Message-ID: <20020701063609.GA44340@happy-idiot-talk.infracaninophi> In-Reply-To: <20020701075031.H5982-100000@sol.chel.skbkontur.ru> References: <20020630212920.GA42452@happy-idiot-talk.infracaninophi> <20020701075031.H5982-100000@sol.chel.skbkontur.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 01, 2002 at 07:52:05AM +0600, ???? ??????? wrote:
>
> > On Sun, Jun 30, 2002 at 11:48:56PM +0600, ???? ??????? wrote:
> > > Dear Sirs,
> > >
> > > for example, rl0 and rl1 are local (non-Internet) interfaces.
> > >
> > > (I'm going to switch to stateful rules soon, but for now I've configured
> > > stateless firewall):
> > >
> > > ipfw add 100 allow ip from me to any
> > > ipfw add 200 allow ip from any to me via rl0
> > > ipfw add 200 allow ip from any to me via rl1
> > >
> > > that's simple, that's good, I even like it:)
> > > but such configuration doesn't pass broadcast packets:
> > >
> > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> > > 255.255.255.255:520 in via rl1
> > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.100.28:138
> > > 192.168.100.255:138 in via rl0
> > > Jun 30 23:43:14 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> > > 255.255.255.255:520 in via rl1
> > > Jun 30 23:43:45 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520
> > > 255.255.255.255:520 in via rl1
> > >
> > >
> > > can anybody help me with "allow"ing broadcast traffic ??
> >
> > If you know what the IP address is on each of your interfaces, it more
> > efficient to quote it explicitly in your IPFW rulesets. You can also
> > change the filter to take account of the local network number and
> > netmask, which will allow broadcast packets as well:
> >
> > ipfw add 100 allow ip from 192.168.100.28 to any
> > ipfw add 150 allow ip from 192.168.200.3 to any
> > ipfw add 200 allow ip from any to 192.168.100.0/24 via rl0
> > ipfw add 250 allow ip from any to 192.168.200.0/24 via rl1
>
> no, I don't want to pass "from any to any", I just want to pass
> "from me to any" + "from any to me" + "broadcast things" (no matter
> what is the mean of broadcast, RIP, SMB or whatever)
What I wrote is very different to a 'from any to any' rule.
Try:
ipfw add 100 allow ip from 192.168.100.28 to any
ipfw add 150 allow ip from 192.168.200.3 to any
ipfw add 200 allow ip from any to 192.168.100.28 via rl0
ipfw add 250 allow ip from any to 192.168.200.3 via rl1
ipfw add 300 allow ip from any to 192.168.100.255 via rl0
ipfw add 350 allow ip from any to 192.168.200.255 via rl1
or if you want to get really strict about it:
ipfw add 100 allow ip from 192.168.100.28 to any out via rl0
ipfw add 150 allow ip from 192.168.200.3 to any out via rl1
ipfw add 200 allow ip from any to 192.168.100.28 in via rl0
ipfw add 250 allow ip from any to 192.168.200.3 in via rl1
ipfw add 300 allow ip from any to 192.168.100.255 in via rl0
ipfw add 350 allow ip from any to 192.168.200.255 in via rl1
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701063609.GA44340>