From owner-freebsd-isp  Mon Feb 16 03:12:56 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA25937
          for freebsd-isp-outgoing; Mon, 16 Feb 1998 03:12:56 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from caladan.tdx.co.uk (caladan.tdx.co.uk [195.188.177.4])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA25860
          for <isp@freebsd.org>; Mon, 16 Feb 1998 03:12:41 -0800 (PST)
          (envelope-from kpielorz@tdx.co.uk)
Received: from tdx.co.uk (lorca-tx.tdx.co.uk [195.188.177.242])
	by caladan.tdx.co.uk (8.8.7/8.8.7) with ESMTP id LAA09760
	for <isp@freebsd.org>; Mon, 16 Feb 1998 11:12:37 GMT
	(envelope-from kpielorz@tdx.co.uk)
Message-ID: <34E81F25.FE3A9638@tdx.co.uk>
Date: Mon, 16 Feb 1998 11:12:37 +0000
From: Karl Pielorz <kpielorz@tdx.co.uk>
Organization: TDX
X-Mailer: Mozilla 4.04 [en] (WinNT; I)
MIME-Version: 1.0
To: isp@FreeBSD.ORG
Subject: ipfw - specifying ports >1023 & general config
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

I'm using FreeBSD 2.2.2 / 2.2.5 releases at our site, and the 'ipfw' command
to setup firewalls on individual machines to supplment our sites main
firewalling router...

The question is, at the moment I use commands like:

ipfw add allow tcp from any 1023-65534 to my.ip.add.ress 25
ipfw add allow tcp from my.ip.add.ress 25 to any 1023-65534 established

Is there any 'cleaner' way of specifying the 'safe' ports range, i.e. ports
between 1023 through to 65535?

I've seen someone post something about using '>1023', but I couldn't get this
to work (even after escaping it to stop the shell from redirecting it's output
to a file called 1023 ;-)

At the moment it's not too bad, as the firewall is setup by a script that uses
shell variables, e.g. "1023-65534" becomes $SAFE, thus:

$FW add allow tcp from any $SAFE to $MY_IP $SMTP
$FW add allow tcp from $MY_IP $SMTP to any $SAFE established

Which makes it a lot more readable...

Any comments? - any suggestions on how I can stop the unavoidable 'human  
error' factor of being able to do something like:

$FWi add allow tcp from any $FAFE to $MY_IP $SNTP

(where the shell won't complain about not being able to find $FWi or $FAFE
etc. - and it's easy to miss the error in the firewall output as it spins
past).

I've seen some 'firewall' languages and stuff put about - but I didn't really
want anything _that_ complex, just something that would catch typos...

Thanks for any info,

Regards,

Karl Pielorz

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message