From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 27 04:50:55 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2F4A1065676 for ; Wed, 27 Feb 2008 04:50:55 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outV.internet-mail-service.net (outV.internet-mail-service.net [216.240.47.245]) by mx1.freebsd.org (Postfix) with ESMTP id 9556013C4EB for ; Wed, 27 Feb 2008 04:50:55 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Tue, 26 Feb 2008 20:50:54 -0800 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 0699B12735F; Tue, 26 Feb 2008 20:50:53 -0800 (PST) Message-ID: <47C4EC3C.7@elischer.org> Date: Tue, 26 Feb 2008 20:51:08 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.9 (Macintosh/20071031) MIME-Version: 1.0 To: steve13th References: <15704943.post@talk.nabble.com> In-Reply-To: <15704943.post@talk.nabble.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Established and Outside Traffic Problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 04:50:55 -0000 steve13th wrote: > Given: > Running FREEBSD > > What I want to do: > I am attempting to disable the following things: > Note H= host octet > 1. disable pings > 2. disable traffic originating from networks other than HHH.HH.HHH.0/24 > 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth with > the internet > Status: > I am able to block pings, but I can't have traffic with the internet > > My rules > > ipfw add 1 icmp from any to any icmp 0,8 > ipfw add 2 allow tcp any to any established > ipfw add 3 allow all from HHH.HH.HHH.11/24 to any > > oh where to start.. firstly realise that ipfw is called in every packet arraiving in every interface and every packet leaving on every interface. you probably want to limit processing to packets coming and going on some interface. Assume em0 is your outside interface.. #divide up traffic to that we are interested in and that we are not ipfw add 10 skipto 100 ip from any to any in recv em0 ipfw add 11 skipto 200 ip from any to any out xmit em0 ipfw allow ip from any to any # incoming packets from the outside ipfw add 100 drop ip from 127.0.0.0/8 to any ipfw add 101 drip ip from any to 127.0.0.0/8 ipfw add 110 drop icmp from any to any icmp 0,8 ipfw add 120 check-state [ add any other packets descriptions for incoming packets you may want to accept] ipfw add 190 drop ip from any to any # outgoing packets to the outside ipfw add 200 ipfw allow ip from any to any keep-state