From owner-freebsd-security  Thu Aug 16 11:53:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ren.sasknow.com (ren.sasknow.com [207.195.92.131])
	by hub.freebsd.org (Postfix) with ESMTP id 2CB3F37B403
	for <freebsd-security@FreeBSD.ORG>; Thu, 16 Aug 2001 11:53:21 -0700 (PDT)
	(envelope-from ryan@sasknow.com)
Received: from localhost (ryan@localhost)
	by ren.sasknow.com (8.9.3/8.9.3) with ESMTP id MAA04541;
	Thu, 16 Aug 2001 12:53:13 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Thu, 16 Aug 2001 12:53:13 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: Roman Zabolotnikov <romaha@eoffice.ru>
Cc: freebsd-security@FreeBSD.ORG
Subject: RE: Quick IPFW Rule Question
In-Reply-To: <D56EF1EAF8CCD21180A8009027177D3B6BF88B@fs.novosoft.ru>
Message-ID: <Pine.BSF.4.21.0108161250290.1353-100000@ren.sasknow.com>
Organization: SaskNow Technologies [www.sasknow.com]
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Roman Zabolotnikov wrote to freebsd-security@FreeBSD.ORG:

> > 
> > Hi,
> > 
> > What would be the best rule to allow all incoming traffic 
> > from one specific
> > I.P. address? (for a machine with 2 I.P.s bound to the NIC...)
> 
>  I guess it'd be like this.
> 
> /sbin/ipfw add allow all from 123.123.123.123 to any via fxp0
> /sbin/ipfw add reject all from any to any via fxp0
> 
> You should change "fxp0' from my example to your external interface name.
> 
> > 
> > Also, what would be the best rule to allow all outgoing 
> > traffic from my
> > local machine?
>  The same way.
> 
> /sbin/ipfw add allow from 132.132.132.132 to any via fxp0
> /sbin/ipfw add reject all from any to any via fxp0
> 
> But be carefully with "reject all" rule. It should be the last line in your
> firewall rules.

It is normally not required to specify the "reject all" rule. It is
hardwired as rule 65535 in ipfw.

The thing to watch, in this case, is if the user has an "OPEN" firewall
thanks to rc.conf--in which case rule 65000 will be added which allows
everything.

As always, order and numbering is important. Rules are passed/rejected
based on the order of numerical rule numbers. The correct rule in the
wrong order may not work at all.


> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-- 
  Ryan Thompson <ryan@sasknow.com>
  Network Administrator, Accounts

  SaskNow Technologies - http://www.sasknow.com
  #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2

        Tel: 306-664-3600   Fax: 306-664-1161   Saskatoon
  Toll-Free: 877-727-5669     (877-SASKNOW)     North America


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message