Date: Wed, 12 Apr 2000 22:23:26 -0700 (PDT) From: Bhishan Hemrajani <bhishan@cytosine.dhs.org> To: freebsd-questions@freebsd.org Subject: Deny a set of ips for a group using ipfw Message-ID: <200004130523.e3D5NQS24196@cytosine.dhs.org>
next in thread | raw e-mail | index | archive | help
I am currently running a FreeBSD 3.4-RELEASE box as a nat gateway, however, I find the need to give out a few shell accounts to some of my friends. But, in case one of my friends turns out to be hazardous to my network I will not be happy. So I decided to prevent it before it happens. What I want to do is block an interface from being used by the group users. And only allowed by people in the group wheel. I thought that this would do that for me: ipfw add 1050 allow all from any to any gid wheel ipfw add 1051 deny all from any to any gid users via de0 de0 is my internal interface, and de1 is my external interface. However, any normal user can still ping the computers on my internal interface. I don't see why this is happening. Here is a printout of "ipfw show": 00010 664306 337437059 divert 8668 ip from any to any via de1 01000 0 0 deny ip from any to 192.168.0.5 01001 0 0 deny ip from any to 207.199.68.5 01050 4878 348297 allow ip from any to any gid wheel 01051 0 0 deny ip from any to any gid users via de0 01100 1314240 647617396 allow ip from any to any 65535 1 345 deny ip from any to any And all my users that I want to be denied access are in the group users (gid 100). And this is the entry I have in /etc/group for it: users:*:100: I don't see why it is not filtering out those packets. --bhishan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004130523.e3D5NQS24196>