From owner-freebsd-questions Wed Sep 4 6:31: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64DD837B401 for ; Wed, 4 Sep 2002 06:31:02 -0700 (PDT) Received: from catflap.home.slightlystrange.org (host217-39-91-62.in-addr.btopenworld.com [217.39.91.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFDE943E4A for ; Wed, 4 Sep 2002 06:31:00 -0700 (PDT) (envelope-from dan@slightlystrange.org) Received: from danielby by catflap.home.slightlystrange.org with local (Exim 3.36 #1) id 17maFB-000NvH-00 for questions@FreeBSD.ORG; Wed, 04 Sep 2002 14:30:53 +0100 Date: Wed, 4 Sep 2002 14:30:53 +0100 From: Daniel Bye To: questions@FreeBSD.ORG Subject: Re: Macros in ipfw rules Message-ID: <20020904133053.GA91519@catflap.home.slightlystrange.org> Reply-To: dan@slightlystrange.org Mail-Followup-To: questions@FreeBSD.ORG References: <20020903142632.GA71601@catflap.home.slightlystrange.org> <443cspq4ll.fsf@be-well.ilk.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <443cspq4ll.fsf@be-well.ilk.org> User-Agent: Mutt/1.4i X-Scanner: exiscan *17maFB-000NvH-00*Y6PHDircPS.* (SlightlyStrange.org, Using NOD32 http://www.nod32.com) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Sep 04, 2002 at 09:14:30AM -0400, Lowell Gilbert wrote: > Daniel Bye writes: > > > I have managed to get our departmental intranet site migrated from Win2K > > to FreeBSD 4.6.2 (yay me - I did good ;-), and am now having trouble with > > ipfw. I want to use a macro to prevent large groups of networks and > > hosts from connecting, but I've drawn a blank with the syntax. > > You might want to consider doing it the other way around; create rules > for what traffic you want to let in, and then drop everything else. Yeah, agreed. However, I wanted to prevent googlebot.com et al from cataloguing the site, while allowing pretty much unrestricted access to everyone else. (This comes down to company politics, over which I have very little control). I have put a few "Deny from" clauses in httpd.conf, which is serving the purpose adequately for the time being. Ultimately, users will need username and password to log in, which I guess will stop everyone else anyways. (This IS happening tomorrow...) > > can use m4 or cpp, for example, but I cannot fathom the syntax necessary > > to establish the macros. > > A simple scripting language is a much easier way to do this. Hah! Of course. Always too keen to over-egg the pudding, as it were. > > Anyone have any pointers to some docs online I can look at, or example > > rules I can rip off? Or even a "reread the man pages, you twit, there's > > examples aplenty" would be OK ;-) > > The canonical set of examples is /etc/rc.firewall. I suspect that in > this case you will also find /usr/share/examples/ipfw to be useful, > and there's a large section in the FreeBSD handbook that you should > examine closely. I checked the handbook, but evidently not that closely... I will now go and look at /usr/share/examples/ipfw (I always forget that's there...). And of course, rc.firewall. I never think of these as a source of documentation. My bad. Thanks all for taking the time to respond - your words are appreciated. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message