From owner-freebsd-questions  Wed Jan  9 22:32:30 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from rambo.simx.org (rambo.simx.org [194.17.208.54])
	by hub.freebsd.org (Postfix) with ESMTP id A1F1137B43D
	for <freebsd-questions@FreeBSD.ORG>; Wed,  9 Jan 2002 22:31:46 -0800 (PST)
Received: from rambo.simx.org (rocky [192.168.0.2])
	by rambo.simx.org (8.11.6/8.11.6) with ESMTP id g0A6VdX71296;
	Thu, 10 Jan 2002 07:31:39 +0100 (CET)
	(envelope-from listsub@rambo.simx.org)
Message-ID: <3C3D364E.9080304@rambo.simx.org>
Date: Thu, 10 Jan 2002 07:35:58 +0100
From: "Roger 'Rocky' Vetterberg" <listsub@rambo.simx.org>
Reply-To: listsub@rambo.simx.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Heimes, Rene" <rh@com-con.net>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: AW: firewalling with ipfw
References: <F54B610C5BFDE546BBA2F6CC595ACC75084A0C@exchange2000>
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Heimes, Rene wrote:

> I do not know how "keep-state" and "skipto" can solve my problems, so i
> give you this sample ruleset:
> 
> ****************
> * HERE IT COMES *
> ****************
> 
> 	# Low Access Clients
> 	${fwcmd} add deny log all from any to A.B.C.96	
> 	${fwcmd} add pass udp from A.B.C.96 to any 53	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 80	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 443	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 80	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 443	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 80	
> 	${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 443
> 	${fwcmd} add pass tcp from A.B.C.96 to any 119
> 	${fwcmd} add pass tcp from A.B.C.96 to any 1494
> 	${fwcmd} add pass udp from A.B.C.96 to any 1604
> 	${fwcmd} add pass icmp from A.B.C.96 to any icmptypes 8
> keep-state
> 	${fwcmd} add pass icmp from any to A.B.C.96 icmptypes 0
> keep-state
> 


[snip a lot of similar rules]

> ***************
> * AND THAT?S IT *
> ***************
> 
> So you all can pitch into that piece - what can be improved here???
> 


Why not something like this:

# Low Access Clients
LAC="A.B.C.96,A.B.C.99,A.B.C.35"
${fwcmd} add deny log all from any to ${LAC}
${fwcmd} add pass udp from ${LAC} to any 53	
${fwcmd} add pass tcp from ${LAC} to www.bahn.de 80	
...

If a "low access client" changes ip, disappears or maybe get 
promoted to a "high access client" :), all you need to do is 
remove it from or edit its entry in the LAC= line at the top.

--
R




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message