From owner-freebsd-isp Sat Feb 8 18:41:44 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA19054 for isp-outgoing; Sat, 8 Feb 1997 18:41:44 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA19026; Sat, 8 Feb 1997 18:41:38 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id SAA11408; Sat, 8 Feb 1997 18:41:06 -0800 (PST) Received: from alpo.whistle.com(207.76.205.1) by whistle.com via smap (V1.3) id sma011406; Sat Feb 8 18:40:45 1997 Received: from current1.whistle.com (current1.whistle.com [207.76.205.22]) by alpo.whistle.com (8.8.5/8.8.4) with SMTP id SAA25835; Sat, 8 Feb 1997 18:37:28 -0800 (PST) Message-ID: <32FD37FA.41C67EA6@whistle.com> Date: Sat, 08 Feb 1997 18:35:38 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: Robert Shady CC: tiller@connectnet.com, FreeBSD-Questions@freebsd.org, FreeBSD-ISP@freebsd.org Subject: Re: Packet filtering help please References: <199702090005.TAA06715@server.id.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Robert Shady wrote: > > > > this will add to my system. Also, > > > where can I find more info on how to construct rules? > > > (Beyond the man pages.) > > > I will be doing this all remotely, so getting it right the first time is > > > essential. > > > > add the following code to the rc file > > ipfw add 10000 allow ip from all to all > > ipfw add 1000 deny ip from {his address} > > > > > > that should about do it.. > > remember that the default rule is: > > ipfw add 65536 deny ip from any to any > > > > so you need to add the allow rule above via /etc/rc > > because you won't be able to get to the box to do it by hand :) > > Also remember that the numbers are the 'rules numbers', they are > parsed from highest to lowest, and everyone must be different. > In the above example, it starts our like this > > RULE # > ====== > 65536 deny ip from any to any (Don't let ANYONE into this box by default) > 10000 allow ip from all to all (Now allow EVERYONE into this box by default) > 1000 deny ip from a.a.a.a (Now just deny people from a.a.a.a) > > And you could add... > > 999 deny ip from b.b.b.b (Now deny people from a.a.a.a & b.b.b.b) Boy is that confusing! 1/ there can be more than one rule with ths same number.. ordering of such rules is undefined. 2/ the rules are parsed LOWEST to HIGHEST.. the rules are interpretted with an implied "OTHERWISE go on to the next rule". while (rules to do) { if (condition of next rule is true) { if (rule is deny) return FALSE; else /* rule is accept */ return TRUE; } rule++; /* move on to next rule */ } in other words the set above are: 1000 If it's our pesky friend block it and go get the next packet. otherwise, go on to the next rule. 10000 Allow all packets not already thrown out. 65535 *never reached *