From owner-freebsd-questions  Fri Jun 14  4:59:47 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from lexx.zssm.zp.ua (lexx.zssm.zp.ua [212.8.32.8])
	by hub.freebsd.org (Postfix) with ESMTP id C546A37B400
	for <questions@FreeBSD.ORG>; Fri, 14 Jun 2002 04:59:38 -0700 (PDT)
Received: from server.hermes-comp.zp.ua (germes-comp.zssm.zp.ua [212.8.32.132] (may be forged))
	by lexx.zssm.zp.ua (8.9.2/8.9.2) with ESMTP id OAA28013;
	Fri, 14 Jun 2002 14:46:42 +0300 (EET DST)
Received: from localhost (localhost [127.0.0.1])
	by server.hermes-comp.zp.ua (Postfix) with ESMTP
	id 1FEEE38302; Fri, 14 Jun 2002 14:50:40 +0300 (EEST)
Date: Fri, 14 Jun 2002 14:50:40 +0300 (EEST)
From: Alexander V Zubchenko <stalker@hermes-comp.zp.ua>
To: =?koi8-r?B?6czY0SD7ydDJw8nO?= <ilia@academy.urc.ac.ru>
Cc: <questions@FreeBSD.ORG>
Subject: Re: ipfw: outgoing connections only
In-Reply-To: <20020614173014.X42286-100000@sol.chel.skbkontur.ru>
Message-ID: <20020614144544.V1381-100000@server.hermes-comp.zp.ua>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=KOI8-R
Content-Transfer-Encoding: 8BIT
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Greetings!

On Fri, 14 Jun 2002, Илья Шипицин wrote:

> for example, I want to allow incoming tcp/udp connections to certain
> ports, i.e. tcp1..tcpN, udp1...udpN. And I want to allow any outgoing
> connection from that machine.
>
> I'm not sure about ipfw rules, any advice ?
Look ipfw(8) man-page for details. You can add something like:
ipfw add allow tcp from any to me <ports-spec> in via <iface> \
keep-state #To allow incoimng for specific ports
ipfw add allow ip from me to any out via <iface>
(to allow any outcoming connections).

port-spec is port|port-port|port:mask|<port-spec>,<port-spec>...

As i already said look at manpage. There enough info, imho. Keep-state
create dynamic rules to bypass this connection. Lifetime controlled by
sysctl variables.

Hope, this help.

Alexander V Zubchenko,		E-Mail: stalker@hermes-comp.zp.ua
System Administrator,		WWW: http://www.hermes-comp.zp.ua/
Hermes-comp,
Ukraine,
Zaporizhzhya,
Geroev Stalingrada 50
phone/fax: +380 612 64-19-72



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message