Date: Thu, 15 Feb 2001 14:09:49 +0000 From: Chris Elsworth <chrise@demon.net> To: Simon Loader <simon@herculeez.com> Cc: stable@FreeBSD.ORG Subject: Re: ipfw query.. Message-ID: <20010215140949.A96244@demon.net> In-Reply-To: <3A8BE217.7AF6BFBD@herculeez.com>; from simon@herculeez.com on Thu, Feb 15, 2001 at 02:05:11pm %2B0000 References: <20010215130342.A95395@demon.net> <20010215135309.A23654@rug-rats.org> <3A8BE217.7AF6BFBD@herculeez.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 15, 2001 at 02:05:11pm +0000, Simon Loader wrote: > Bradley Kite wrote: > > > > I'm sure there is a flag you can append to the end of > > the pipe rules, that tell ipfw to continue going through the rules > > instead of stopping when they match. > > > > I cant remember what the flag is tho, sorry :-( > > > > > > > I'm sure I'm doing something really fundamentally wrong here, but if I do > > > this with ipfw: > > > > > > > > > 00300 0 0 pipe 15 ip from any to 195.11.8.227 > > > 00400 0 0 pipe 20 ip from 195.11.8.227 to any > > > > > > and then later on: > > > > > > 03000 0 0 unreach host tcp from any to 195.11.8.227 3306 > > > > > couldnt you move rule 3000 to 290 or something ? > > Or prehaps you havent a ceratin reason for this order ? Here's the order I do it in.. >-- pipes first - I was planning to do everything so I could count it and bandwidth limit it deny anything appearing to come from RFC1918 ranges deny any ports I specifically don't want people to see like 3306 deny any source IPs I specifically don't want to let in allow selected priviledged ports (ssh, smtp, et al) allow selected outbound accesses (tho this is paranoid and could go) deny everything else >-- If I don't put the pipes first then I can't bandwidth limit, because when the packets go through one of the allow rules, to, say, sshd - then they'll never see the pipe and won't get limited or counted. So the pipes have to come first.. -- Chris Elsworth tel: 020 8371 1041 _ . Systems Administrator mob: 07968 324 693 demon @ thus . . Web & Hosting Team chrise@demon.net http://www.demon.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010215140949.A96244>