Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Nov 2005 18:59:27 +0100 (CET)
From:      Oliver Fromme <olli@lurza.secnetix.de>
To:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Features enhacement: AND-block and "me" expression on a table...
Message-ID:  <200511281759.jASHxR3q093197@lurza.secnetix.de>
In-Reply-To: <43833270.8060502@freebsdbrasil.com.br>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Patrick Tracanelli <eksffa@freebsdbrasil.com.br> wrote:
 > Would it be hard to make ipfw processing "and" blocks, just like "or" 
 > blocks? I mean, in the following situation:
 > 
 > ipfw add deny log tcp from { not 10.10.10.10/32 or not 10.10.10.20/32 } 
 > to any dst-port 22 out via fxp0 setup keep-state
 > 
 > On my understanding, this rule will *always* match, because the OR block 
 > makes the source always be true, because it *won't* be a orign OR won't 
 > the other be. What if we could have:
 > 
 > ipfw add deny log tcp from { not 10.10.10.10/32 and not 10.10.10.20/32 } 
 > to any dst-port 22 out via fxp0 setup keep-state

First, some small notes:

1.  It usually doesn't make much sense to use "keep-state"
    with deny rules.  I suggest you omit it.
2.  You can also savely omit the "setup" option.
3.  You can omit the /32 bitmask (it's the default).
4.  I'm not sure whether you really mean "via".  It seems
    that "xmit" is intended in this case, not "via".
5.  And finally, you don't have to write "dst-port" (it
    doesn't hurt, but I prefer to write rules in a compact
    way because I think it's more readable when the lines
    don't have to wrap on a standard 80-columns terminal).

Now to your question about an "and" operator.

There are several possibilities to do what you want.
For example, you could use a byte list:

deny log tcp from not 10.10.10.0/24 to any 22 out xmit fxp0
deny log tcp from 10.10.10.0/24{0-9,11-19,21-255} to any 22 out xmit fxp0

Or slightly different (negated byte list):

deny log tcp from not 10.10.10.0/24 to any 22 out xmit fxp0
deny log tcp from not 10.10.10.0/24{10,20} to any 22 out xmit fxp0

Or you could use a skipto rule:

100 skipto 300 all from { 10.10.10.10 or 10.10.10.20 }
200 deny log tcp from any to any 22 out xmit fxp0
300 ...

Personally I like the latter best, because it's the most
flexible solution.  It's also easy to read and understand.
You can easily place more rules in the range which is
skipped over for the two priviledged IP addresses, and
you don't have to mention those IP addresses again in
every such rule.

With careful use of "skipto" rules, it is easy to make
very well-structured rule sets.  Using "skipto" also often
improves performance of the rule set, because fewer rules
have to be analyzed for every packet.

If you have a lot of rules, it is almost always a good idea
to group them into logical units and then use "skipto" to
jump into the appropriate groups.  Doing that can improve
performance by a big factor.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"Emacs ist für mich kein Editor. Für mich ist das genau das gleiche, als
wenn ich nach einem Fahrrad (für die Sonntagbrötchen) frage und einen
pangalaktischen Raumkreuzer mit 10 km Gesamtlänge bekomme. Ich weiß nicht,
was ich damit soll." -- Frank Klemm, de.comp.os.unix.discussion



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200511281759.jASHxR3q093197>