From owner-freebsd-current Thu Jan 16 05:17:55 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id FAA20620 for current-outgoing; Thu, 16 Jan 1997 05:17:55 -0800 (PST) Received: from gaia.coppe.ufrj.br (root@cisigw.coppe.ufrj.br [146.164.2.31]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA20614; Thu, 16 Jan 1997 05:17:52 -0800 (PST) Received: (from jonny@localhost) by gaia.coppe.ufrj.br (8.8.3/8.7.3) id LAA05573; Thu, 16 Jan 1997 11:16:49 -0200 (EDT) From: Joao Carlos Mendes Luis Message-Id: <199701161316.LAA05573@gaia.coppe.ufrj.br> Subject: Re: ipfw cannot do this... To: nate@mt.sri.com (Nate Williams) Date: Thu, 16 Jan 1997 11:16:49 -0200 (EDT) Cc: ejs@bfd.com, nate@mt.sri.com, phk@freebsd.org, current@freebsd.org In-Reply-To: <199701151919.MAA06300@rocky.mt.sri.com> from Nate Williams at "Jan 15, 97 12:19:40 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk #define quoting(Nate Williams) // > > > I just found out one thing we need in ipfw, the ability to inverse the // > > > sense of a rule: // > > > // > > > ipfw add deny not ip from 140.145.0.0 to any via ed0 // > > > ipfw add deny not ip from any to 140.145.0.0 via ed1 // > > > ^^^ // > > > ipfw add allow tcp from any to any 23 // > > > ipfw add allow tcp from any to any 25 // > > > ... // > > > // > > > any takers ? // > > // > > I'm not sure I follow what you want. What exactly are you trying to do? // > // > As someone that wants something like this, I think I can answer. Quite a // > few times, I've wanted to deny everything but a certain address range, and // > then further restrict that address range. I'd like this !!! // // Why not 'add' acceptance hosts and then restrict everything after that. The acceptance list could be too big to be useful. For example, how can I deny spoofing from a subnet ? The standard rc.firewall suggests the follwoing piece of code: /sbin/ipfw add deny all from ${inet}:${imask} to any in via ${oif} /sbin/ipfw add deny all from ${onet}:${omask} to any in via ${iif} But this would probably be better: /sbin/ipfw add deny all from not ${inet}:${imask} to any in via ${iif} /sbin/ipfw add deny all from ${inet}:${imask} to any in via not ${iif} The second line in the first piece of code does not prevent all spoofing. // Since ipfw goes until it gets a match, it'll work fine that way. // // This is how I'm doing it now. // // # Allow traffic to/from machine 1.2.3.4 only // ipfw add allow tcp from 1.2.3.4 to any via ed0 // ipfw add allow tcp from any to 1.2.3.4 via ed0 // ipfw add deny log tcp from any to any via ed0 What if you want to restrict access based on tcp port ? Jonny -- Joao Carlos Mendes Luis jonny@gta.ufrj.br +55 21 290-4698 ( Job ) jonny@cisi.coppe.ufrj.br Network Manager UFRJ/COPPE/CISI Universidade Federal do Rio de Janeiro