From owner-freebsd-net Sat Nov 21 19:28:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA22670 for freebsd-net-outgoing; Sat, 21 Nov 1998 19:28:46 -0800 (PST) (envelope-from owner-freebsd-net@FreeBSD.ORG) Received: from root.com (root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA22661 for ; Sat, 21 Nov 1998 19:28:44 -0800 (PST) (envelope-from root@root.com) Received: from root.com (localhost [127.0.0.1]) by root.com (8.8.8/8.8.5) with ESMTP id TAA01406; Sat, 21 Nov 1998 19:29:17 -0800 (PST) Message-Id: <199811220329.TAA01406@root.com> To: Dave Alden cc: freebsd-net@FreeBSD.ORG Subject: Re: bridging hints? In-reply-to: Your message of "Fri, 20 Nov 1998 16:09:47 EST." <199811202109.QAA06927@math.mps.ohio-state.edu> From: David Greenman Reply-To: dg@root.com Date: Sat, 21 Nov 1998 19:29:16 -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm planning on using a FreeBSD box as our departmental firewall. I >just started playing around with it and have a box configured with 2 Intel >EtherExpress 100+ cards, our LAN on one and a workstation (call 'wkstn') >on the other. I'm trying to learn ipfw, so I setup the FreeBSD box as a >"client" firewall. I then did: > >ipfw add deny tcp from any to wkstn > >This works as expected. But if I try to just turn of certain ports with: > >ipfw add deny tcp from any to wkstn 1-1024 > >it doesn't work as I would expect (it allows me to telnet to the machine). >Can someone tell me what I'm doing wrong? :-) Here's a guess: You need to be careful about the precedence. Lower number filter rules have higher precendence. Since you didn't specify a specific rule number, the system assigned a number that was greater than a previous allow rule, and that wasn't what you wanted. See ipfw(8). -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message