Date: Wed, 6 Jun 2018 20:13:59 +0200 From: "Dries Michiels" <driesm.michiels@gmail.com> To: "'Freddie Cash'" <fjwcash@gmail.com> Cc: <freebsd-ipfw@freebsd.org> Subject: RE: Matching rules on ip4/ip6 with udp/tcp Message-ID: <001901d3fdc2$2446d160$6cd47420$@gmail.com> In-Reply-To: <CAOjFWZ6CsxLy%2Bmsz1hpXz7SB=2xsO=N40yHA_MZu8snYb_OkGQ@mail.gmail.com> References: <001001d3fdbc$d804d270$880e7750$@gmail.com> <CAOjFWZ6CsxLy%2Bmsz1hpXz7SB=2xsO=N40yHA_MZu8snYb_OkGQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Tried out the variations you mentioned and they work just great.=20 =20 Thank you! Dries =20 =20 From: Freddie Cash <fjwcash@gmail.com>=20 Sent: woensdag 6 juni 2018 20:01 To: Dries Michiels <driesm.michiels@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: Matching rules on ip4/ip6 with udp/tcp =20 On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels = <driesm.michiels@gmail.com <mailto:driesm.michiels@gmail.com> > wrote: Is there are way to match packets specifying both network generation ip4 = or ip6 together with the protocol such as tcp or udp? Currently the following rules are possible (examples): ipfw add 1 allow udp from any to me 22 in recv em0 ipfw add 1 allow ip4 from any to me 22 in recv em0 The following rule is not possible (example): ipfw add 1 allow ip4 udp from any to me 22 in recv em0 Is there a workaround for this or some reason why this hasn't been implemented?=20 Or do I simply not have the rule syntax right. =20 =E2=80=8BOne of the following pairs should do what you want, although = the man page is a little hard to parse on some of it, so they may not = actually work:=E2=80=8B =20 =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip4 dst-port = 22=E2=80=8B =E2=80=8Bipfw add 1 allow from any to me in recv em0 proto ip6 dst-port = 22=E2=80=8B =20 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip4 = dst-port 22 =E2=80=8Bipfw add 1 allow udp from any to me in recv em0 proto ip6 = dst-port 22 =20 Basically, there's a giant section in the man page about the "options" = section of the rule (what goes after the interface). You can do just = about anything within that section, including a lot of what could be = done in the "protocol" and "source address" and "destination address" = sections. =E2=80=8B--=20 Freddie Cash fjwcash@gmail.com <mailto:fjwcash@gmail.com>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001901d3fdc2$2446d160$6cd47420$>