From owner-freebsd-security Mon Jan 6 15:14:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id PAA08900 for security-outgoing; Mon, 6 Jan 1997 15:14:27 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id PAA08895 for ; Mon, 6 Jan 1997 15:14:24 -0800 (PST) From: proff@suburbia.net Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id PAA19395 for ; Mon, 6 Jan 1997 15:14:46 -0800 (PST) Received: (qmail 23463 invoked by uid 110); 6 Jan 1997 23:12:49 -0000 Message-ID: <19970106231249.23462.qmail@suburbia.net> Subject: Re: FreeBSD as a cleanwall In-Reply-To: from Brandon Gillespie at "Jan 6, 97 02:39:20 pm" To: brandon@cold.org (Brandon Gillespie) Date: Tue, 7 Jan 1997 10:12:49 +1100 (EST) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Does anybody have a configuration for packet filtering through a FreeBSD > router to run a cleanwall? Basically to keep all addresses of a specific > IP set (say a class C) on the right sides. I.e. only set addresses of > that set leave the network and don't allow any addresses of that set onto > the network? I'm mulling through the docs now, but figured to look here > for any possible pointers, as this seems like it would be a common enough > operation.. > > -Brandon Gillespie > > what you want is something like: # ipfw add pass all from 10.1.2.1 to any in via ed0 # ipfw add pass all from to 10.1.2.1 out via ed0 # ipfw add deny all from 10.1.2.0/24 to any in via ed0 # ipfw add deny all from any to 10.1.2.0/24 any out via ed0 Note that the current ipfw is a little painful, because you can't distinguish packets to be forwarded and packets to be accepted/sent to/from the host. If you are running my ipfw patches, you can (mostly) get avoid this by using: # ipfw add action type from src to dst direction uid any Which will match any packet eminating from or destined to a local socket. I say "mostly", because it is possible the packet is not associated with a socket even though it is addressed to the local host. e.g kernel support for nfs -Julian