Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Feb 1997 13:22:11 -0700 (MST)
From:      Brandon Gillespie <brandon@glacier.cold.org>
To:        freebsd-questions@freebsd.org
Subject:   Firewall setup questions (ipfw rule ordering)
Message-ID:  <Pine.NEB.3.95.970225131303.10320A-100000@glacier.cold.org>

next in thread | raw e-mail | index | archive | help
I'm working on setting up a firewall and I'm running into some problems
with my limited knowledge of ipfw.  Assuming the 'simple' firewall rules
set I also want the following 'equivalent' rule:

   ipfw add deny all NOT from ${onet}:${omask} to any via ${oif}

Basically, I'm working on setting up my network with two walls:

             internet
                |
 - - - - router/cleanwall - - - - -
                |
          local network
                |
  - - - - - firewall - - - - -
                |
          secure network

Where the first (router) is basically a 'cleanwall' in that it guarantee's
no spoofing and it also drops packets from 192.168.* addresses.  The
localnet will all be on our on Class C network.  Everything on the secure
side of the firewall will be on the 192.168.* address domain, and the
firewall will ONLY allow packets from our IP domain from the outside in,
and on the same hand it will only allow 192.168.* addresses from the
inside out.

Unfortunately, to the best of my knowledge (and the man page) it looks
like ipfw's rules only restrict specific cases, and not the inverse (i.e.
all BUT this case).. or am I mistaken?

I was thinking I could do:


    ipfw allow all from ${onet}:${omask} to any in via {$oif}

Then simply let everythign else be denied--but when 'allow' is matched it
stops checking the rules, so I can't add additional rules for what ports
and networking protocols can be passed over the firewall..

Help?

-Brandon Gillespie




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.95.970225131303.10320A-100000>