From owner-freebsd-security  Sat May  4 20:59:43 2002
Delivered-To: freebsd-security@freebsd.org
Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80])
	by hub.freebsd.org (Postfix) with SMTP id 525F437B419
	for <security@freebsd.org>; Sat,  4 May 2002 20:59:39 -0700 (PDT)
Received: (qmail 1431 invoked by uid 1001); 5 May 2002 03:59:33 -0000
Date: Sat, 4 May 2002 23:59:33 -0400
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "William J. Borskey" <wborskey@hotmail.com>
Cc: security@freebsd.org
Subject: Re: ipfw
Message-ID: <20020504235933.A1382@cowbert.2y.net>
Reply-To: peter.lai@uconn.edu
References: <F93OUDxTcg2yWsqdiDu00006aa0@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <F93OUDxTcg2yWsqdiDu00006aa0@hotmail.com>; from wborskey@hotmail.com on Sat, May 04, 2002 at 08:36:52PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote:
> 
> 
> is it possible to write rules for ipfw using ethernet addresses instead of 
> ip addresses?

i don't think so (although i might be wrong).
I think people use static arp to prevent arp poisoning so 
IP <-> MAC translations stay the same.

> 
> ipfw -q -f flush
> ipfw -q add 00100 allow ip from any to any via lo0
> ipfw -q add 00220 deny log ip to me 22 from any in
> ipfw -q add 00100 allow ip from any to any
> ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin
> ipfw -q add 00230 check-state
> ipfw -q add 00235 deny tcp from any to any in established
> ipfw -q add 00240 allow ip from any to any out keep-state
> ipfw -q add 00250 deny tcp from any to any 6000
> ipfw -q add 00900 deny log ip from any to any
> 
> and is this ok to block everything except ssh?
> 

uh check your rule numbering. you have 2 rule 100s.

220 will *block* port 22 on your machine.
and the 2nd rule 100 allows everything so this effectively
will *allow* everything *except* ssh.

> 
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message