Date: Wed, 15 Jan 1997 12:19:40 -0700 (MST) From: Nate Williams <nate@mt.sri.com> To: "Eric J. Schwertfeger" <ejs@bfd.com> Cc: Nate Williams <nate@mt.sri.com>, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701151919.MAA06300@rocky.mt.sri.com> In-Reply-To: <Pine.BSF.3.95.970115111042.1500L-100000@harlie> References: <199701151643.JAA05590@rocky.mt.sri.com> <Pine.BSF.3.95.970115111042.1500L-100000@harlie>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I just found out one thing we need in ipfw, the ability to inverse the > > > sense of a rule: > > > > > > ipfw add deny not ip from 140.145.0.0 to any via ed0 > > > ipfw add deny not ip from any to 140.145.0.0 via ed1 > > > ^^^ > > > ipfw add allow tcp from any to any 23 > > > ipfw add allow tcp from any to any 25 > > > ... > > > > > > any takers ? > > > > I'm not sure I follow what you want. What exactly are you trying to do? > > As someone that wants something like this, I think I can answer. Quite a > few times, I've wanted to deny everything but a certain address range, and > then further restrict that address range. Why not 'add' acceptance hosts and then restrict everything after that. Since ipfw goes until it gets a match, it'll work fine that way. This is how I'm doing it now. # Allow traffic to/from machine 1.2.3.4 only ipfw add allow tcp from 1.2.3.4 to any via ed0 ipfw add allow tcp from any to 1.2.3.4 via ed0 ipfw add deny log tcp from any to any via ed0 How is this any different from what's being asked for? > Actually, what I really want is an ipfw add skip XXX ... where if > something matches the rule, skip all other rules below XXX (yes, I always > number my rules:-) If you get a match, it *will* skip all the other rules. Nate
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701151919.MAA06300>