Date: Tue, 7 Jan 1997 10:12:49 +1100 (EST) From: proff@suburbia.net To: brandon@cold.org (Brandon Gillespie) Cc: security@freebsd.org Subject: Re: FreeBSD as a cleanwall Message-ID: <19970106231249.23462.qmail@suburbia.net> In-Reply-To: <Pine.NEB.3.95.970106143712.23715A-100000@cold.org> from Brandon Gillespie at "Jan 6, 97 02:39:20 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> Does anybody have a configuration for packet filtering through a FreeBSD > router to run a cleanwall? Basically to keep all addresses of a specific > IP set (say a class C) on the right sides. I.e. only set addresses of > that set leave the network and don't allow any addresses of that set onto > the network? I'm mulling through the docs now, but figured to look here > for any possible pointers, as this seems like it would be a common enough > operation.. > > -Brandon Gillespie > > what you want is something like: # ipfw add pass all from 10.1.2.1 to any in via ed0 # ipfw add pass all from to 10.1.2.1 out via ed0 # ipfw add deny all from 10.1.2.0/24 to any in via ed0 # ipfw add deny all from any to 10.1.2.0/24 any out via ed0 Note that the current ipfw is a little painful, because you can't distinguish packets to be forwarded and packets to be accepted/sent to/from the host. If you are running my ipfw patches, you can (mostly) get avoid this by using: # ipfw add action type from src to dst direction uid any Which will match any packet eminating from or destined to a local socket. I say "mostly", because it is possible the packet is not associated with a socket even though it is addressed to the local host. e.g kernel support for nfs -Julian <proff@iq.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970106231249.23462.qmail>