From owner-freebsd-questions Mon Feb 10 06:43:00 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA05155 for questions-outgoing; Mon, 10 Feb 1997 06:43:00 -0800 (PST) Received: from mail.id.net (mail.id.net [199.125.1.6]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA05146; Mon, 10 Feb 1997 06:42:54 -0800 (PST) Received: from server.id.net (server.id.net [199.125.2.20]) by mail.id.net (8.7.5/ID-Net) with ESMTP id JAA21604; Mon, 10 Feb 1997 09:50:59 -0500 (EST) From: Robert Shady Received: (from rls@localhost) by server.id.net (8.8.2/8.7.3) id JAA27415; Mon, 10 Feb 1997 09:43:12 -0500 (EST) Message-Id: <199702101443.JAA27415@server.id.net> Subject: Re: Packet filtering help please In-Reply-To: <32FD37FA.41C67EA6@whistle.com> from Julian Elischer at "Feb 8, 97 06:35:38 pm" To: julian@whistle.com (Julian Elischer) Date: Mon, 10 Feb 1997 09:43:12 -0500 (EST) Cc: rls@mail.id.net, tiller@connectnet.com, FreeBSD-Questions@freebsd.org, FreeBSD-ISP@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > Also remember that the numbers are the 'rules numbers', they are > > parsed from highest to lowest, and everyone must be different. > > In the above example, it starts our like this > > > > RULE # > > ====== > > 65536 deny ip from any to any (Don't let ANYONE into this box by default) > > 10000 allow ip from all to all (Now allow EVERYONE into this box by default) > > 1000 deny ip from a.a.a.a (Now just deny people from a.a.a.a) > > > > And you could add... > > > > 999 deny ip from b.b.b.b (Now deny people from a.a.a.a & b.b.b.b) > > Boy is that confusing! > 1/ there can be more than one rule with ths same number.. ordering of > such rules is undefined. > 2/ the rules are parsed LOWEST to HIGHEST.. > > the rules are interpretted with an implied "OTHERWISE go on to the next > rule". > > while (rules to do) { > if (condition of next rule is true) { > if (rule is deny) > return FALSE; > else /* rule is accept */ > return TRUE; > } > rule++; /* move on to next rule */ > } > > > in other words the set above are: > > > 1000 If it's our pesky friend block it and go get the next packet. > otherwise, go on to the next rule. > 10000 Allow all packets not already thrown out. > 65535 *never reached * I stand corrected... -- Rob === _/_/_/_/_/ _/_/_/_/ _/_/ _/ _/_/_/_/_/ _/_/_/_/_/ _/ _/ _/ _/_/_/ _/ _/ _/ _/_/_/_/ _/ _/_/_/_/_/ _/_/_/_/ _/ _/ _/_/_/_/_/ _/ Innovative Data Services Serving South-Eastern Michigan Internet Service Provider / Hardware Sales / Consulting Services Voice: (810)855-0404 / Fax: (810)855-3268 / Web: http://www.id.net