Date: Thu, 19 Dec 2002 22:35:42 +1030 From: Rob <listone@deathbeforedecaf.net> To: Gary D Kline <kline@thought.org>, FreeBSD Mailing List <freebsd-questions@FreeBSD.ORG> Subject: Re: Are these IPF -> IPFW protocols equivalent? Message-ID: <3E01B616.7080708@deathbeforedecaf.net>
next in thread | raw e-mail | index | archive | help
> # Inside Interface (ipfw) > [IPFW] add 200 allow tcp from any to any out xmit via dc0 keep-state > [IPFW] add 200 allow icmp from any to any out xmit via dc0 keep-state > [IPFW] add deny ip from any to any out xmit via dc0 > > [IPFW] add 200 allow tcp from any to any in recv via dc0 keep-state > [IPFW] add 200 allow icmp from any to any in recv via dc0 keep-state > [IPFW] add deny ip from any to any in recv via dc0 > > # Loopback Interface > [IPFW] add allow ip from 127.0.0.1 to 127.0.0.1 in recv via lo0 > [IPFW] add allow ip from 127.0.0.1 to 127.0.0.1 out xmit via lo0 I've only used ipfw for a little while, but there's a few things I can suggest here. * A good diagnostic for your rules is ipfw list Run this after adding a list of rules, and it shows you how they were translated by ipfw. It also shows the default rule (number 65535) which will be allow any or deny any, depending on your kernel options. * You don't need to supply a number after 'add' - the ipfw command will number them for you. I'm not sure what happens if you give different rules the same number, but it probably isn't useful. * Since you're allowing all out #1 and all in #4, you can combine these rules as add allow tcp from any to any via dc0 keep-state with the same effect. * Likewise with #2 and #5, they can be combined as add allow icmp from any to any via dc0 keep-state * Likewise with #7 and #8. * The keep-state option allows you set up two-way traffic based on a one-way rule. I think it's mainly designed for UDP (where there's no established connection to allow) but it should work for ICMP as well. However, since you're already allowing traffic both ways (in & out) it isn't necessary in this case. * If your default rule is deny all, you don't need #3 and #6, because it will be denied anyway. * If you give a hostname to ipfw, it will resolve the address when adding the rule. * So you should be able to do the same thing with add allow tcp from any to any via dc0 add allow icmp from any to any via dc0 add allow ip from localhost to localhost via lo0 As I said, I've only been using ipfw for a little while so wiser heads may contradict some of this.... Best of luck :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E01B616.7080708>