From owner-freebsd-questions@FreeBSD.ORG Wed Jul 2 20:08:08 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B288B37B408 for ; Wed, 2 Jul 2003 20:08:08 -0700 (PDT) Received: from [204.213.64.2] (firewall.tiadon.com [204.213.64.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A74443F75 for ; Wed, 2 Jul 2003 20:08:07 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from rmc.tiadon.com by [204.213.64.2] ESMTP; Wed, 2 Jul 2003 22:08:07 -0500 Received: from applications.tiadon.com (mail.tiadon.com [172.16.18.172]) by bcec01.tiadon.net with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id M49GCQ6B; Wed, 2 Jul 2003 22:08:07 -0500 Received: from firewall.tiadon.com ([204.213.65.139]) by applications.tiadon.com with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 2 Jul 2003 22:08:06 -0500 Received: from [204.213.65.139] by firewall.tiadon.com via smtpd (for mail.tiadon.com [172.16.18.172]) with ESMTP; Wed, 2 Jul 2003 22:08:05 -0500 Message-ID: <096301c34110$49bf6cb0$1b41d5cc@nitanjared> From: "Kevin Kinsey, DaleCo, S.P." To: References: <03e401c3403b$959b58e0$1b41d5cc@nitanjared><5.1.0.14.2.20030702105854.05756080@209.152.117.178> <200307021456.28271.dkelly@HiWAAY.net> Date: Wed, 2 Jul 2003 22:07:49 -0500 Organization: DaleCo, S.P.---"the solutions people" MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: setting up ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Kevin Kinsey, DaleCo, S.P." List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jul 2003 03:08:09 -0000 From: "David Kelly" To: Sent: Wednesday, July 02, 2003 2:56 PM Subject: Re: setting up ipfw > On Wednesday 02 July 2003 11:00 am, W. D. wrote: > > > > Is there some guide to translate IPFW rules to English so that they > > are understandable? > > They already are. Each arglist to ipfw(8) is a sentence. ipfw(8) is only > an interpreter of those instructions which writes the instructions in a > form ipfw(4) can understand. Or reads them back in a form you can > understand. > And this is one of the things that swung my decision to ipfw ... a] the easy syntax of the rules; b] the most well-written tutorial I found while * ST[F]?W was based on ipfw. Consider the following somewhat biased example. However, the answer to the "which is most like English" ?? seems clear to me... ipfw: # Stop RFC1918 nets on the outside interface ${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif} ${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif} ${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif} ipf: # block address spoofing on the external interface block in quick on ed0 from 127.0.0.1/8 to any block in quick on ed0 from 10.0.0.0/8 to any block in quick on ed0 from 172.16.0.0/12 to any block in quick on ed0 from 192.168.0.0/16 to any block in quick on ed0 from 224.0.0.0/4 to any block in quick on ed0 from 240.0.0.0/5 to any iptables: # Stop RFC1918 nets on the outside interface ${fwcmd} -A INPUT -j DROP -d 10.0.0.0/8 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 10.0.0.0/8 -i ${oif} ${fwcmd} -A INPUT -j DROP -d 172.16.0.0/12 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 172.16.0.0/12 -i ${oif} ${fwcmd} -A INPUT -j DROP -d 192.168.0.0/16 -i ${oif} ${fwcmd} -A FORWARD -j DROP -d 192.168.0.0/16 -i ${oif} To the detractors -- yeah, similar, not at all the same, though. If I confused anyone with "my.ip.ad.dres", I'm sorry; it's not like you couldn't do a dig, anyway, but I'm paranoid... KDK *Please pardon my regexp...