From owner-freebsd-ipfw@freebsd.org Fri Dec 29 09:21:36 2017 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38E6CEB3EEB for ; Fri, 29 Dec 2017 09:21:36 +0000 (UTC) (envelope-from quinefang@gmail.com) Received: from mail-qt0-x231.google.com (mail-qt0-x231.google.com [IPv6:2607:f8b0:400d:c0d::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E8D213CA5 for ; Fri, 29 Dec 2017 09:21:35 +0000 (UTC) (envelope-from quinefang@gmail.com) Received: by mail-qt0-x231.google.com with SMTP id e2so53729073qti.0 for ; Fri, 29 Dec 2017 01:21:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=i58abLkgxRH2iXeCOgeOqdwmGpQcjQacBXdgctwXlwM=; b=IFpUfYrmJsaW27BQFneK/vEdhB2MDBUOMVKeeTnP7BrEYDVbMxOrsC3qmJmEKAILWP LevdOMcubtQNeNBLrIHMDC5znKpLlSG3He3NA8RZYTBhnEYqx/TOjN5FTWIuMqbrm0eP WZARdBLTL9qNd/Z5GvbkhxG+89FaMmTNYvecrrRLfnr+ZDvTCMCgfklefQJ3JFYsyq2S o5bbpgVUlUzzHkHyhb8vdVi2jxloYC+Hi4S+T30sl5YSyc9zSHnO+TmnXWPWh8hCRjNN j9Oa5yDEdyiZoribnBHtF4U3aC1IXmW7Z+9eLIJyGmCTGS2qDgSG5K3UkKYrn1c7xztP 5YyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=i58abLkgxRH2iXeCOgeOqdwmGpQcjQacBXdgctwXlwM=; b=kFBCwsR1voeAQHGQHYGiflRE3veuEevSt7LD0m0v7rQT7O9olxH2LR5yBuVir0e3Ve /UFU3uNVFCkBi+//y/oPzfNMKChlcEeas5b90uUYiZu2CM0Zd9euoQjHRPbJ59w/bVx9 Jmt0x4eMBfsixHOXc2trnfUAWv8Z/OGKsSuRtepAQU5PAwuxL3cs7j+XTVGtQTpippKZ ++VItkv7yrfv1l5ALlpDcatvXyihtU4MTng2vMhpiv7jUI1LxSbbWUPevxUc3mb28Thl STscEMIx6cuRW9x70kAnEzzL/304FjhNe0IfDOkQiyRnAM+amyAeOIBCmS3t9zyJzPTW mYeQ== X-Gm-Message-State: AKGB3mKmesfBMDrtPY96/5/M77L2HLmE/WGJPCkt+Ilwlj6QATOCIYie 9urj1iIsO+te+xu99OM6aptKWaTQhTv/jTm+Zm89lKKx X-Google-Smtp-Source: ACJfBosRFSQMaHxt/zXn5ZeWA9OCyOCtc94pGfuy6G+aCG7czvWF2m4BglE6JhM+YB4y4cqxNiGJ+C+yAiOE5CgBlWs= X-Received: by 10.200.34.242 with SMTP id g47mr43570869qta.36.1514539294774; Fri, 29 Dec 2017 01:21:34 -0800 (PST) MIME-Version: 1.0 Received: by 10.55.31.29 with HTTP; Fri, 29 Dec 2017 01:21:34 -0800 (PST) From: =?UTF-8?B?5pa55Z2k?= Date: Fri, 29 Dec 2017 17:21:34 +0800 Message-ID: Subject: ipfw rules for modern FreeBSD? To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 09:21:36 -0000 Dear ipfw maintainer, I read the following from https://www.freebsd.org/cgi/man.cgi?query=ipfw&sektion=8&manpath=freebsd-release-ports#end . > The rule body has the following format: > > [*proto* *from* *src* *to* *dst*] [*options*] > > The first part (proto from src to dst) is for backward compatibility with > earlier versions of FreeBSD. In modern FreeBSD any match pattern > (including MAC headers, IP protocols, addresses and ports) can be speci- > fied in the *options* section. > > And, my firewall_script as follows: > #!/bin/sh fwcmd="/sbin/ipfw -q" ${fwcmd} -f flush ${fwcmd} add allow proto tcp src-ip me setup keep-state :default ${fwcmd} add allow proto udp src-ip me keep-state :default And, I found these rules is not protecting my FreeBSD box. Question: How can I write ipfw rules for modern FreeBSD only?