Date: Wed, 2 Jul 2003 22:07:49 -0500 From: "Kevin Kinsey, DaleCo, S.P." <kdk@daleco.biz> To: <FreeBSD-Questions@freebsd.org> Subject: Re: setting up ipfw Message-ID: <096301c34110$49bf6cb0$1b41d5cc@nitanjared> References: <03e401c3403b$959b58e0$1b41d5cc@nitanjared><5.1.0.14.2.20030702105854.05756080@209.152.117.178> <200307021456.28271.dkelly@HiWAAY.net>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "David Kelly" <dkelly@HiWAAY.net> To: <FreeBSD-Questions@freebsd.org> Sent: Wednesday, July 02, 2003 2:56 PM Subject: Re: setting up ipfw > On Wednesday 02 July 2003 11:00 am, W. D. wrote: > > > > Is there some guide to translate IPFW rules to English so that they > > are understandable? > > They already are. Each arglist to ipfw(8) is a sentence. ipfw(8) is only > an interpreter of those instructions which writes the instructions in a > form ipfw(4) can understand. Or reads them back in a form you can > understand. > And this is one of the things that swung my decision to ipfw ... a] the easy syntax of the rules; b] the most well-written tutorial I found while * ST[F]?W was based on ipfw. Consider the following somewhat biased example. However, the answer to the "which is most like English" ?? seems clear to me... ipfw: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} ipf: # block address spoofing on the external interface block in quick on ed0 from 127.0.0.1/8 to any block in quick on ed0 from 10.0.0.0/8 to any block in quick on ed0 from 172.16.0.0/12 to any block in quick on ed0 from 192.168.0.0/16 to any block in quick on ed0 from 224.0.0.0/4 to any block in quick on ed0 from 240.0.0.0/5 to any iptables: # Stop RFC1918 nets on the outside interface ${fwcmd} -A INPUT -j DROP -d 10.0.0.0/8 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 10.0.0.0/8 -i ${oif} ${fwcmd} -A INPUT -j DROP -d 172.16.0.0/12 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 172.16.0.0/12 -i ${oif} ${fwcmd} -A INPUT -j DROP -d 192.168.0.0/16 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 192.168.0.0/16 -i ${oif} To the detractors -- yeah, similar, not at all the same, though. If I confused anyone with "my.ip.ad.dres", I'm sorry; it's not like you couldn't do a dig, anyway, but I'm paranoid... KDK *Please pardon my regexp...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?096301c34110$49bf6cb0$1b41d5cc>