Date: Fri, 3 Jul 1998 01:58:10 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Oles Hnatkevych <gnut@cki.ipri.kiev.ua> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW on a gateway Message-ID: <Pine.BSF.3.95.980703013834.5714F-100000@current1.whistle.com> In-Reply-To: <Pine.BSF.3.95.980703102746.15769A-100000@cki.ipri.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Jul 1998, Oles Hnatkevych wrote: > Hi! > > These are more general unix questions, but.... > > Great thanks in advance for answering several questions. > > 1. When ipfw processes packets? > a) when packet just arrived? > b) when packet arrived, passed through routing tables and is up > to be delivered to interface? Both.. that is th ekeywork "in recv ed0" or "out xmit ed0" teh "IN" or "out" specifies whether to check on input processing (pre routing) or output processing (post routing) saying neither means DO BOTH, as does "in out". > > 2. What means 'via interface'????? Does it mean 'from this interface' > or 'to this interface'? via means "either to OR from" xmit ed0 means "will be sent to ed0. (only valid with "out") recv ed0 means "came in through ed0. (valid on both "in" and "out". > > 3. I'm going to setup ipfw on a gateway. This PC has 6 interfaces. > How do I allow sendmail connections to this PC? With 6 'add' > commands with all ip addresses???? In routing tables for all > local addresses there's aroute like '<address> 127.0.0.1 lo0' > Can I just allow TCP connection to 127.0.0.1 instead of > N 'add' rules, where N is the number of local addresses? > (and 2 interfaces have even 2 aliases....) You cannot use 127.0.0.1 as an alias for other addresses. they are different. I would use 6 Add commands specifying the interface NAME AND address on each rule which would stop spoofing. but it's hard to say without knowing your exact setup. you can also do: "in recv de*" which will match all the dec interfaces. :-) > > 4. Still not clear how to allow passing all packets destined > not to this PC. I'm not going to firewall anything behind, > just this PC. Without knowing EXACTLY what you want, this may be a first try.. # (stop spoofing) add 10 allow ip from any to any via lo0 add 11 deny ip from 127.0.0.1 add 12 deny ip from any to 127.0.0.1 # Allow specifically ok tcp streams that terminate here. add 51 allow tcp from any to [myaddress1] 25 in recv ed0 add 52 allow tcp from any to [myaddress2] 25 in recv ed1 add 53 allow tcp from any to [myaddress3] 25 in recv ed2 add 54 allow tcp from any to [myaddress4] 25 in recv ed3 [repeat as needed] kill anything else that terminates here. add 100 deny ip from any to [myaddress1] in (local usage will succeed) [repeat as needed] #Allow packets just being routed past. add 200 allow ip from any to any sounds a bit dangerous though.. julian > > > Great thanks in advance for any hints and URL's. > > Bye. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980703013834.5714F-100000>