Date: Tue, 11 Jan 2022 20:45:51 +0100 (CET) From: Bernhard John <john.bb@online.de> To: tundra@tundraware.com Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: ipfw syntax clarification Message-ID: <dad6215-64b9-9ed4-b7d8-b3fb292a6191@srv1.l0caldomain> In-Reply-To: <8b2c341d-10e6-51a2-0654-86f4394865c7@tundraware.com> References: <8b2c341d-10e6-51a2-0654-86f4394865c7@tundraware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings!
As this is my first reply to a freebsd mailing-list question, i hope it
works the way it should.
I had ipfw running also and my suggestion is:
Add following rule before the one you mentioned
ipfw add allow out from any to table \(10\) via ${OIF} keep-state
NOTE: the keep-state is important because it allos the answer back to you,
which else would be caught by your mntioned rule.
Regards
BJ
On Wed, 29 Dec 2021, Tim Daneliuk via freebsd-questions wrote:
> We have a FBSD firewall/gateway/natd server on the permimeter of one of our networks.
>
> We have an ipfw table that is loaded with pesky IPs like this:
>
> ipfw add deny all from table\(10\) to any via ${OIF}
>
> This does block traffic which originates from those IPs to our server.
> However, it also prevents our server from originating requests TO those IPs.
>
> This is an issue because some of the table entries are CIDR blocks intended
> to geoblock known problem areas. However, it's sometimes desirable to, say,
> connect to a web server within one of those CIDR blocks.
>
> How/can the rule above be modified to let no one in the table to connect or
> ping to the server, but still allow the server to connect to something in
> the forbidden blocks/IPs?
>
> TIA!
> --
> ----------------------------------------------------------------------------
> Tim Daneliuk tundra@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dad6215-64b9-9ed4-b7d8-b3fb292a6191>