Date: Thu, 16 Aug 2001 17:49:23 -0500 From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-questions@freebsd.org> Cc: <eharris@ericharris.com> Subject: Re: Easy IPFW question... Message-ID: <OE45Xxt5BBBVhyemYew0000d884@hotmail.com> References: <OE26Wd7KKQpQq5pneeF0000b932@hotmail.com> <20010813165603.B1119@ringworld.oblivion.bg> <15224.895.861427.828038@nomad.yogotech.com> <20010816095615.C4232@blossom.cjclark.org> <5.1.0.14.2.20010816173444.02e73d28@mail.ericharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Eric, Yes it is, it took me a bit of experimenting, but this is pretty simple to do. Just keep in mind that rules are processed in numeric ascending order... if no numeric value is given for the rule, it is applied automatically based on the ascending order of the rule. In other words, the rules at the top of your script take priority. Just make sure that you have something like this...: (The first two should do what you need, the third rule would allow you to query the nameservers on the blocked network and receive a response, and the fourth one would allow you to ping them) add allow tcp from any to any established # Allow established TCP connections to persist add allow tcp from <myip> to any setup # Allow your computer to setup outgoing TCP connections add allow udp from <myip> to any keep-state # Allow outgoing UDP and responses (mainly for DNS) allow icmp from <myip> to any keep-state # Allow outgoing ICMP and responses (traceroutes and pings...) ...above your network/I.P. blocks, and you will be able to setup and establish connections, while they will not even be able to ping you if you don't want them to... Jordan ----- Original Message ----- From: "Eric Harris" <eharris@ericharris.com> To: "default - Subscriptions" <default013subscriptions@hotmail.com> Sent: Thursday, August 16, 2001 4:35 PM Subject: Re: Easy IPFW question... > > Hey, > > I'm trying to block out an entire network as well... > > here is what I used: > > /sbin/ipfw add 00910 deny log all from 209.153.128.0/18 to any via sis0 > > It works.. but My machine can't connect to anything on the network. I only > want to DENY 209.153.128.0/18 from my system. But I would like my system > to be able to connect to 209.153.`128.0/18. Is this even possible? :) > > Thanks > > > > At 01:33 PM 8/16/2001 -0500, you wrote: > >Hi, > > > >Thanks for the help ya'll. I got this fixed, I think what the deal was was I > >had the rule placed below some other rules that allowed traffic... stupid > >mistake... > > > >The rule I ended up keeping was this: > > > >ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > >I tested this using another machine on my network, and it worked great. > > > >Thanks! > > > >Jordan > > > >----- Original Message ----- > >From: "Crist J. Clark" <cristjc@earthlink.net> > >To: "Nate Williams" <nate@yogotech.com> > >Cc: "Peter Pentchev" <roam@ringlet.net>; "default - Subscriptions" > ><default013subscriptions@hotmail.com>; <freebsd-security@FreeBSD.ORG>; > ><freebsd-questions@FreeBSD.ORG> > >Sent: Thursday, August 16, 2001 11:56 AM > >Subject: Re: Easy IPFW question... > > > > > > > On Mon, Aug 13, 2001 at 10:42:39AM -0600, Nate Williams wrote: > > > > > > I'm kinda new to IPFW, and I was unable to figure this out by > >myself... > > > > > > > > > > > > I want to block an I.P. range, say 192.168.0.1, with a netmask of > > > > > > 255.255.0.0 ... > > > > > > > > > > > > The rule I tried was this: > > > > > > ipfw add deny log all from 192.168.0.1/16 to any via ed0 > > > > > > > > > > Try 192.168.0.0/16 - the bits that are zeroed in the netmask must be > > > > > also zeroed in the address. > > > > > > > > If so, then the ipfw parser is borken. :( > > > > > > > > It *shouldn't* matter what the last two bytes in this case are, as it > > > > doesn't matter to any of the other routing protocols. > > > > > > I cannot reproduce this. On a 4.4-PREPRELEASE system, > > > > > > vegeta# ipfw add 1000 count ip from 192.168.0.1/16 to any > > > 01000 count ip from 192.168.0.0/16 to any > > > vegeta# ipfw add 1001 count ip from 192.168.0.0/16 to any > > > 01001 count ip from 192.168.0.0/16 to any > > > vegeta# ipfw sh > > > 01000 12 1268 count ip from 192.168.0.0/16 to any > > > 01001 12 1268 count ip from 192.168.0.0/16 to any > > > 65000 17743 4318556 allow ip from any to any > > > 65535 0 0 deny ip from any to any > > > > > > The host bits are automatically zeroed in my first ipfw(8) > > > command. What version is the original poster using? What do the rules > > > look like when he does a 'show?' This might not be his problem at > > > all. > > > -- > > > Crist J. Clark cjclark@alum.mit.edu > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE45Xxt5BBBVhyemYew0000d884>