From owner-freebsd-questions@FreeBSD.ORG Thu Mar 20 11:30:01 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B15A1FA3 for ; Thu, 20 Mar 2014 11:30:01 +0000 (UTC) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0E98B6A7 for ; Thu, 20 Mar 2014 11:30:00 +0000 (UTC) Received: from [192.168.1.35] (host86-150-244-178.range86-150.btcentralplus.com [86.150.244.178]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id s2KBTppG070781 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES128-SHA bits=128 verify=NO) for ; Thu, 20 Mar 2014 11:29:52 GMT (envelope-from frank2@fjl.co.uk) Message-ID: <532AD133.2060005@fjl.co.uk> Date: Thu, 20 Mar 2014 11:29:55 +0000 From: Frank Leonhardt User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: Re: Controlling WAN access using natd/ipfw References: <5326FA3B.7080006@fjl.co.uk> <53280A29.2040902@fjl.co.uk> In-Reply-To: <53280A29.2040902@fjl.co.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 11:30:01 -0000 Okay - it wasn't as simple as adding a rule before the natd one, and now I really am stuck! On 18/03/2014 08:56, Frank Leonhardt wrote: > No one? I'll drive there later today and try the options safely. > > Regards, Frank. > > > On 17/03/2014 13:35, Frank Leonhardt wrote: >> I can see a few strategies for doing this, but as I'm about to change >> a firewall remotely I'd rather have a definitive working example for >> obvious reasons... :-) >> >> The setup is simple. natd and ipfw are currently sharing a public /29 >> with a private /24. Everything on the LAN can currently do anything >> likes through the gateway. >> >> I want to stop anything on the LAN between 192.168.1.50 and >> 192.168.1.100 (for example) from getting through the gateway (they >> can use the proxy). Everything else should be business as usual. >> >> Current ipfw script is: >> >> /sbin/ipfw add divert natd all from any to any via rl0 >> /sbin/ipfw add pass all from any to any >> >> Which, as a sanity check, leads to: >> >> 00100 divert 8668 ip from any to any via rl0 >> 00200 allow ip from any to any >> 65535 deny ip from any to any >> >> I'm having a brain storm here. Should rule 50 be "deny ip from >> 192.168.1.50-192.168.1.100 to any" >> >> I don't even know if it'll buy that kind of IP address list (I >> suspect not). I know it does CIDR but the range doesn't suit, or a >> table (which I've never used before, but if I've got the syntax I >> might just as well add multiple rules as table entries in this case). >> And I'm completely not sure about what natd does to all of this - >> never been there before. >> >> So - can anyone tell me EXACTLY the line I need? It's four hours of >> driving if I get it wrong... >> >> As a supplementary questions, presumably I can add a port number >> after the source specification to block individual ports? >> >> Thanks, Frank. >> > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"