Date: Sat, 4 May 2002 23:59:33 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: "William J. Borskey" <wborskey@hotmail.com> Cc: security@freebsd.org Subject: Re: ipfw Message-ID: <20020504235933.A1382@cowbert.2y.net> In-Reply-To: <F93OUDxTcg2yWsqdiDu00006aa0@hotmail.com>; from wborskey@hotmail.com on Sat, May 04, 2002 at 08:36:52PM -0700 References: <F93OUDxTcg2yWsqdiDu00006aa0@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote: > > > is it possible to write rules for ipfw using ethernet addresses instead of > ip addresses? i don't think so (although i might be wrong). I think people use static arp to prevent arp poisoning so IP <-> MAC translations stay the same. > > ipfw -q -f flush > ipfw -q add 00100 allow ip from any to any via lo0 > ipfw -q add 00220 deny log ip to me 22 from any in > ipfw -q add 00100 allow ip from any to any > ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin > ipfw -q add 00230 check-state > ipfw -q add 00235 deny tcp from any to any in established > ipfw -q add 00240 allow ip from any to any out keep-state > ipfw -q add 00250 deny tcp from any to any 6000 > ipfw -q add 00900 deny log ip from any to any > > and is this ok to block everything except ssh? > uh check your rule numbering. you have 2 rule 100s. 220 will *block* port 22 on your machine. and the 2nd rule 100 allows everything so this effectively will *allow* everything *except* ssh. > > _________________________________________________________________ > Chat with friends online, try MSN Messenger: http://messenger.msn.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020504235933.A1382>