From owner-freebsd-questions  Tue Apr  9 13:44:39 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.hal-pc.org (mail.hal-pc.org [206.180.145.133])
	by hub.freebsd.org (Postfix) with ESMTP id 9E8C837B41A
	for <freebsd-questions@freebsd.org>; Tue,  9 Apr 2002 13:44:32 -0700 (PDT)
Received: from [204.52.135.14] (HELO Debug)
  by mail.hal-pc.org (CommuniGate Pro SMTP 3.5.6)
  with SMTP id 7668495; Tue, 09 Apr 2002 14:44:32 -0600
To: jmire@lsuhsc.edu
Cc: freebsd-questions@freebsd.org
From: cravey@hal-pc.org
Subject: RE: ipfw config to only allow gif tunnels.
Date: Tue, 9 Apr 2002 20:44:32 GMT
X-Mailer: Endymion MailMan Standard Edition v3.0.16
Message-ID: <auto-000007668495@mail.hal-pc.org>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

It still doesn't seem to work, but that's exactly the kind of information I
needed. Hopefully I can get there from here.

Thank you.

-Stephen

> I guess I missing something, because the gif interfaces have to exist either
> by cloning or by creating them and I use a similiar rule to allow gif
> interface traffic to traverse my firewall regardless of the ipaddresses
> associated with them. Without it the gif (ipip) traffic gets blocked. The
> other thing to do is use the protocol number: 
> ipip    94      IPIP            # Yet Another IP encapsulation
> encap   98      ENCAP           # Yet Another IP encapsulation
> 
> I'm betting on 94 and write the rule something like:
> 
> ipfw add 00122 allow 94 from a.b.c.d to me 
> ipfw add 00124 allow 94 from me to a.b.c.d 
> 
> you could even add granularity by specifying the interface, etc...
> 
> 
> -----Original Message-----
> From: cravey@hal-pc.org [mailto:cravey@hal-pc.org]
> Sent: Tuesday, April 09, 2002 1:46 PM
> To: jmire@lsuhsc.edu
> Cc: freebsd-questions@freebsd.org
> Subject: RE: ipfw config to only allow gif tunnels.
> 
> 
> Sorry, that doesn't seem to work unless you're trying to firewall the
> traffic
> coming down the tunnel with the tunnel already established. Any other
> suggestions? 
> 
> Thanks.
> 
> -Stephen
> 
> 
> > try something like:
> > 
> > ipfw add 00122 allow ip from a.b.c.d to me via gif0
> > ipfw add 00124 allow ip from me to a.b.c.d via gif0
> > 
> > -- 
> > John Mire: jmire@lsuhsc.edu                Network Administration
> > 318-675-5434              LSU Health Sciences Center - Shreveport
> > 
> > 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message