From owner-freebsd-current Wed Jan 15 12:24:15 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id MAA23007 for current-outgoing; Wed, 15 Jan 1997 12:24:15 -0800 (PST) Received: from smyrno.sol.net (smyrno.sol.net [206.55.64.117]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id MAA22996; Wed, 15 Jan 1997 12:24:03 -0800 (PST) Received: from solaria.sol.net (solaria.sol.net [206.55.65.75]) by smyrno.sol.net (8.8.3/8.8.3) with SMTP id OAA12788; Wed, 15 Jan 1997 14:23:58 -0600 (CST) Received: from localhost by solaria.sol.net (8.5/8.5) id OAA14652; Wed, 15 Jan 1997 14:23:56 -0600 From: Joe Greco Message-Id: <199701152023.OAA14652@solaria.sol.net> Subject: Re: ipfw cannot do this... To: ejs@bfd.com (Eric J. Schwertfeger) Date: Wed, 15 Jan 97 14:23:55 CST Cc: nate@mt.sri.com, phk@freebsd.org, current@freebsd.org In-Reply-To: from "Eric J. Schwertfeger" at Jan 15, 97 11:14:32 am X-Mailer: ELM [version 2.4dev PL65] MIME-Version: 1.0 Content-Type: text Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > On Wed, 15 Jan 1997, Nate Williams wrote: > > > > I just found out one thing we need in ipfw, the ability to inverse the > > > sense of a rule: > > > > > > ipfw add deny not ip from 140.145.0.0 to any via ed0 > > > ipfw add deny not ip from any to 140.145.0.0 via ed1 > > > ^^^ > > > ipfw add allow tcp from any to any 23 > > > ipfw add allow tcp from any to any 25 > > > ... > > > > > > any takers ? > > > > I'm not sure I follow what you want. What exactly are you trying to do? > > As someone that wants something like this, I think I can answer. Quite a > few times, I've wanted to deny everything but a certain address range, and > then further restrict that address range. > > Actually, what I really want is an ipfw add skip XXX ... where if > something matches the rule, skip all other rules below XXX (yes, I always > number my rules:-) That would work. ipfw gets to be messy when you want to implement both a cleanwall and a firewall... not messy-impossible-to-do, but messy-hard-to-understand-and- read. It gets very tricky to specify: { /* RFC1918 cleanwall */ if ( src = 10.0.0.0/8 || src = 127.0.0.0/8 || src = 172.16.0.0/12 || src = 192.168.0.0/16 ) then drop; if ( dst = 10.0.0.0/8 || dst = 127.0.0.0/8 || dst = 172.16.0.0/12 || dst = 192.168.0.0/16 ) then drop; /* My nets - outbound cleanwall */ if ( outbound_interface = wan0 ) && ( src != 206.55.64.0/20 && src != 204.95.172.0/24 && src != 204.95.219.0/24 ) then drop; if ( outbound_interface = wan0 ) && ( dst = 206.55.64.0/20 || dst = 204.95.172.0/24 || dst = 204.95.219.0/24 ) then drop; /* My nets - inbound cleanwall */ if ( inbound_interface = wan0 ) && ( src = 206.55.64.0/20 || src = 204.95.172.0/24 || src = 204.95.219.0/24 ) then drop; if ( inbound_interface = wan0 ) && ( dst != 206.55.64.0/20 && dst != 204.95.172.0/24 && dst != 204.95.219.0/24 ) then drop; /* My firewall rules */ etc. } There's a lot of logic flow in there. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847