Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Jan 97 14:23:55 CST
From:      Joe Greco <jgreco@solaria.sol.net>
To:        ejs@bfd.com (Eric J. Schwertfeger)
Cc:        nate@mt.sri.com, phk@freebsd.org, current@freebsd.org
Subject:   Re: ipfw cannot do this...
Message-ID:  <199701152023.OAA14652@solaria.sol.net>
In-Reply-To: <Pine.BSF.3.95.970115111042.1500L-100000@harlie> from "Eric J. Schwertfeger" at Jan 15, 97 11:14:32 am

next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 15 Jan 1997, Nate Williams wrote:
> 
> > > I just found out one thing we need in ipfw, the ability to inverse the
> > > sense of a rule:
> > > 
> > > ipfw add deny not ip from 140.145.0.0 to any via ed0
> > > ipfw add deny not ip from any to 140.145.0.0 via ed1
> > >               ^^^
> > > ipfw add allow tcp from any to any 23
> > > ipfw add allow tcp from any to any 25
> > > ...
> > > 
> > > any takers ?
> > 
> > I'm not sure I follow what you want.  What exactly are you trying to do?
> 
> As someone that wants something like this, I think I can answer.  Quite a
> few times, I've wanted to deny everything but a certain address range, and
> then further restrict that address range.
> 
> Actually, what I really want is an ipfw add skip XXX ... where if
> something matches the rule, skip all other rules below XXX (yes, I always
> number my rules:-)

That would work.  

ipfw gets to be messy when you want to implement both a cleanwall and a
firewall...  not messy-impossible-to-do, but messy-hard-to-understand-and-
read.

It gets very tricky to specify:

{
	/* RFC1918 cleanwall */

	if (	src = 10.0.0.0/8	||
		src = 127.0.0.0/8	||
		src = 172.16.0.0/12	||
		src = 192.168.0.0/16		) then drop;

	if (	dst = 10.0.0.0/8	||
		dst = 127.0.0.0/8	||
		dst = 172.16.0.0/12	||
		dst = 192.168.0.0/16		) then drop;

	/* My nets - outbound cleanwall */

	if (	outbound_interface = wan0	) && (
		src != 206.55.64.0/20	&& 
		src != 204.95.172.0/24	&&
		src != 204.95.219.0/24		) then drop;

	if (	outbound_interface = wan0	) && (
		dst = 206.55.64.0/20	||
		dst = 204.95.172.0/24	||
		dst = 204.95.219.0/24		) then drop;

	/* My nets - inbound cleanwall */

	if (	inbound_interface = wan0	) && (
		src = 206.55.64.0/20	||
		src = 204.95.172.0/24	||
		src = 204.95.219.0/24		) then drop;

	if (	inbound_interface = wan0	) && (
		dst != 206.55.64.0/20	&& 
		dst != 204.95.172.0/24	&&
		dst != 204.95.219.0/24		) then drop;

	/* My firewall rules */
	etc.
}

There's a lot of logic flow in there.

... Joe

-------------------------------------------------------------------------------
Joe Greco - Systems Administrator			      jgreco@ns.sol.net
Solaria Public Access UNIX - Milwaukee, WI			   414/342-4847



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701152023.OAA14652>