From owner-freebsd-questions Fri Jan 14 9:46:31 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mx2.x-treme.gr (mx2.x-treme.gr [212.120.192.15]) by hub.freebsd.org (Postfix) with ESMTP id 29EDE15699; Fri, 14 Jan 2000 09:21:48 -0800 (PST) (envelope-from keramida@diogenis.ceid.upatras.gr) Received: from hades.hell.gr (pat51.x-treme.gr [212.120.197.243]) by mx2.x-treme.gr (8.9.3/8.9.3/IPNG-ADV-ANTISPAM-0.1) with ESMTP id TAA14655; Fri, 14 Jan 2000 19:20:57 +0200 Received: (from charon@localhost) by hades.hell.gr (8.9.3/8.9.3) id SAA07619; Fri, 14 Jan 2000 18:15:46 +0200 (EET) (envelope-from keramida@diogenis.ceid.upatras.gr) Date: Fri, 14 Jan 2000 18:15:46 +0200 From: Giorgos Keramidas To: m Cc: freebsd-questions@FreeBSD.ORG, freebsd-newbies@FreeBSD.ORG Subject: Re: IPFW question Message-ID: <20000114181546.C6800@hades.hell.gr> Reply-To: keramida@ceid.upatras.gr References: <006a01bf5c11$6bdb5940$8b2fa8c0@wipsys.ge.com> <20000111182944.B64680@hades.hell.gr> <20000112030449.69F52639DC@zagnut.hotpop.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <20000112030449.69F52639DC@zagnut.hotpop.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, Jan 11, 2000 at 10:04:49PM -0500, m wrote: > > If I deny ip access to an adress (10.0.0.1) that includes ALL the > ports, of course. from 0 to 65535. > > And "allow all via lo0" means anything passing thru lo0 (localhost, > 127.0.0.1) is allowed, so I can connect to anything IF I'm using Lo0, > even to the specifically denied ip or port numbers. If you have two interfaces, say lo0 (127.0.0.1/8) and ep0 (10.0.0.1/8) then when you try to connect to a host in the 10.0.0.0/8 network, the source address in the packet will be 10.0.0.1, and your rules will filter it out. To allow outgoing tcp connections from an interface do not drop all packets from it. There are some good examples in the rc.firewall script that will help you build the rules. The general case of allowing only incoming TCP connections on an interface is roughly: # pass packets of previously established connections add pass tcp from any to any via IFACE established # allow setup of outgoing TCP connections add pass tcp from any to any out xmit IFACE setup or something along these lines. Ciao. -- Giorgos Keramidas, < keramida @ ceid . upatras . gr > "What we have to learn to do, we learn by doing." [Aristotle] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message