Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 08 Feb 1997 18:35:38 -0800
From:      Julian Elischer <julian@whistle.com>
To:        Robert Shady <rls@mail.id.net>
Cc:        tiller@connectnet.com, FreeBSD-Questions@freebsd.org, FreeBSD-ISP@freebsd.org
Subject:   Re: Packet filtering help please
Message-ID:  <32FD37FA.41C67EA6@whistle.com>
References:  <199702090005.TAA06715@server.id.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Robert Shady wrote:
> 
> > > this will add to my system.  Also,
> > > where can I find more info on how to construct rules?
> > > (Beyond the man pages.)
> > > I will be doing this all remotely, so getting it right the first time is
> > > essential.
> >
> > add the following code to the rc file
> > ipfw add 10000  allow ip from all to all
> > ipfw add 1000   deny ip from {his address}
> >
> >
> > that should about do it..
> > remember that the default rule is:
> > ipfw add 65536 deny ip from any to any
> >
> > so you need to add the allow rule above via /etc/rc
> > because you won't be able to get to the box to do it by hand :)
> 
> Also remember that the numbers are the 'rules numbers', they are
> parsed from highest to lowest, and everyone must be different.
> In the above example, it starts our like this
> 
> RULE #
> ======
> 65536  deny ip from any to any  (Don't let ANYONE into this box by default)
> 10000  allow ip from all to all (Now allow EVERYONE into this box by default)
> 1000   deny ip from a.a.a.a     (Now just deny people from a.a.a.a)
> 
> And you could add...
> 
> 999    deny ip from b.b.b.b     (Now deny people from a.a.a.a & b.b.b.b)

Boy is that confusing!
1/ there can be more than one rule with ths same number.. ordering of
such rules is undefined.
2/ the rules are parsed LOWEST to HIGHEST..

the rules are interpretted with an implied  "OTHERWISE go on to the next
rule".

while (rules to do) {
	if (condition of next rule is true) {
		if (rule is deny)
			return FALSE;
		else	/* rule is accept */
			return TRUE;
	}
	rule++; /* move on to next rule */
}


in other words the set above are:


1000 If it's our pesky friend block it and go get the next packet.
otherwise, go on to the next rule.
10000 Allow all packets not already thrown out.
65535	*never reached *

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?32FD37FA.41C67EA6>