From owner-freebsd-questions Sun Feb 20 23: 7:47 2000 Delivered-To: freebsd-questions@freebsd.org Received: from dt051n0b.san.rr.com (dt051n0b.san.rr.com [204.210.32.11]) by hub.freebsd.org (Postfix) with ESMTP id 5C57737C172 for ; Sun, 20 Feb 2000 23:07:43 -0800 (PST) (envelope-from Doug@gorean.org) Received: from gorean.org (master [10.0.0.2]) by dt051n0b.san.rr.com (8.9.3/8.9.3) with ESMTP id XAA07893; Sun, 20 Feb 2000 23:07:31 -0800 (PST) (envelope-from Doug@gorean.org) Message-ID: <38B0E408.BEBB049D@gorean.org> Date: Sun, 20 Feb 2000 23:06:48 -0800 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Mark Stout Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Reading rules in IPFW References: <4.2.0.58.20000220213559.021b4380@mail.vpm.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mark Stout wrote: > I wrote some rules for IPFW that work as intended as long as I keep the > default "allow ip from any to any" as the last rule. If I make it "deny ip > from any to any" as the last rule my previous rules that once worked now > doesn't. Nobody can get in. This seems right. > > Here's a sampling of the rules I have that work. > > 100 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 > 100 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 > 100 add permit log tcp from any to 209.60.152.2 80 > 100 add permit log tcp from any to 209.60.152.2 21 > 100 add deny log tcp from any to 209.60.152.2 23 > ... > 65535 allow ip from any to any > > I allow access to Telnet from any host on network 209.13.14.0 > I allow access to Telnet from any host on network 209.13.15.0 > I allow HTTP from anyone > I allow FTP from anyone > I then deny Telnet from everyone else > > The default rule #65535 allows everything else in. Now, where I keep these > same rules but change 65535 to deny ip from any to any, then nothing is > allowed in, not HTTP or FTP. > > Does IPFW stop at the first match or does it continue through the rest of > the rules? Barring any special rules, it operates on a first match principle. Although technically you can make multiple rules with the same number, it's not a good idea. Also, you're not supposed to change rule 65535, I'm not even sure you can, or what would happen if you try. I would try the following list: 1000 add permit log tcp from any to 209.60.152.2 80 2000 add permit log tcp from 209.13.15.0/24 to 209.60.152.2 23 2001 add permit log tcp from 206.13.14.0/24 to 209.60.152.2 23 3000 add permit log tcp from any to 209.60.152.2 21 9000 add deny log tcp from any to 209.60.152.2 23 65000 add deny ip from any to any Of course this assumes that you have proper entries elsewhere for your loopback, etc. If these rules don't work, please send the output of 'ipfw show' to the list. Good luck, Doug -- "Welcome to the desert of the real." - Laurence Fishburne as Morpheus, "The Matrix" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message