From owner-freebsd-questions  Tue Feb 25 12:19:59 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id MAA13143
          for questions-outgoing; Tue, 25 Feb 1997 12:19:59 -0800 (PST)
Received: from glacier.cold.org (glacier.cold.org [206.81.134.54])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA13138
          for <freebsd-questions@freebsd.org>; Tue, 25 Feb 1997 12:19:50 -0800 (PST)
Received: from localhost (brandon@localhost) by glacier.cold.org (8.8.3/8.8.3) with SMTP id NAA10329 for <freebsd-questions@freebsd.org>; Tue, 25 Feb 1997 13:22:11 -0700 (MST)
Date: Tue, 25 Feb 1997 13:22:11 -0700 (MST)
From: Brandon Gillespie <brandon@glacier.cold.org>
To: freebsd-questions@freebsd.org
Subject: Firewall setup questions (ipfw rule ordering)
Message-ID: <Pine.NEB.3.95.970225131303.10320A-100000@glacier.cold.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I'm working on setting up a firewall and I'm running into some problems
with my limited knowledge of ipfw.  Assuming the 'simple' firewall rules
set I also want the following 'equivalent' rule:

   ipfw add deny all NOT from ${onet}:${omask} to any via ${oif}

Basically, I'm working on setting up my network with two walls:

             internet
                |
 - - - - router/cleanwall - - - - -
                |
          local network
                |
  - - - - - firewall - - - - -
                |
          secure network

Where the first (router) is basically a 'cleanwall' in that it guarantee's
no spoofing and it also drops packets from 192.168.* addresses.  The
localnet will all be on our on Class C network.  Everything on the secure
side of the firewall will be on the 192.168.* address domain, and the
firewall will ONLY allow packets from our IP domain from the outside in,
and on the same hand it will only allow 192.168.* addresses from the
inside out.

Unfortunately, to the best of my knowledge (and the man page) it looks
like ipfw's rules only restrict specific cases, and not the inverse (i.e.
all BUT this case).. or am I mistaken?

I was thinking I could do:


    ipfw allow all from ${onet}:${omask} to any in via {$oif}

Then simply let everythign else be denied--but when 'allow' is matched it
stops checking the rules, so I can't add additional rules for what ports
and networking protocols can be passed over the firewall..

Help?

-Brandon Gillespie