Date: Thu, 10 Jan 2002 07:35:58 +0100 From: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org> To: "Heimes, Rene" <rh@com-con.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: AW: firewalling with ipfw Message-ID: <3C3D364E.9080304@rambo.simx.org> References: <F54B610C5BFDE546BBA2F6CC595ACC75084A0C@exchange2000>
next in thread | previous in thread | raw e-mail | index | archive | help
Heimes, Rene wrote:
> I do not know how "keep-state" and "skipto" can solve my problems, so i
> give you this sample ruleset:
>
> ****************
> * HERE IT COMES *
> ****************
>
> # Low Access Clients
> ${fwcmd} add deny log all from any to A.B.C.96
> ${fwcmd} add pass udp from A.B.C.96 to any 53
> ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 80
> ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 443
> ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 80
> ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 443
> ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 80
> ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 443
> ${fwcmd} add pass tcp from A.B.C.96 to any 119
> ${fwcmd} add pass tcp from A.B.C.96 to any 1494
> ${fwcmd} add pass udp from A.B.C.96 to any 1604
> ${fwcmd} add pass icmp from A.B.C.96 to any icmptypes 8
> keep-state
> ${fwcmd} add pass icmp from any to A.B.C.96 icmptypes 0
> keep-state
>
[snip a lot of similar rules]
> ***************
> * AND THAT?S IT *
> ***************
>
> So you all can pitch into that piece - what can be improved here???
>
Why not something like this:
# Low Access Clients
LAC="A.B.C.96,A.B.C.99,A.B.C.35"
${fwcmd} add deny log all from any to ${LAC}
${fwcmd} add pass udp from ${LAC} to any 53
${fwcmd} add pass tcp from ${LAC} to www.bahn.de 80
...
If a "low access client" changes ip, disappears or maybe get
promoted to a "high access client" :), all you need to do is
remove it from or edit its entry in the LAC= line at the top.
--
R
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C3D364E.9080304>