Date: Thu, 16 Aug 2001 12:53:13 -0600 (CST) From: Ryan Thompson <ryan@sasknow.com> To: Roman Zabolotnikov <romaha@eoffice.ru> Cc: freebsd-security@FreeBSD.ORG Subject: RE: Quick IPFW Rule Question Message-ID: <Pine.BSF.4.21.0108161250290.1353-100000@ren.sasknow.com> In-Reply-To: <D56EF1EAF8CCD21180A8009027177D3B6BF88B@fs.novosoft.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Roman Zabolotnikov wrote to freebsd-security@FreeBSD.ORG: > > > > Hi, > > > > What would be the best rule to allow all incoming traffic > > from one specific > > I.P. address? (for a machine with 2 I.P.s bound to the NIC...) > > I guess it'd be like this. > > /sbin/ipfw add allow all from 123.123.123.123 to any via fxp0 > /sbin/ipfw add reject all from any to any via fxp0 > > You should change "fxp0' from my example to your external interface name. > > > > > Also, what would be the best rule to allow all outgoing > > traffic from my > > local machine? > The same way. > > /sbin/ipfw add allow from 132.132.132.132 to any via fxp0 > /sbin/ipfw add reject all from any to any via fxp0 > > But be carefully with "reject all" rule. It should be the last line in your > firewall rules. It is normally not required to specify the "reject all" rule. It is hardwired as rule 65535 in ipfw. The thing to watch, in this case, is if the user has an "OPEN" firewall thanks to rc.conf--in which case rule 65000 will be added which allows everything. As always, order and numbering is important. Rules are passed/rejected based on the order of numerical rule numbers. The correct rule in the wrong order may not work at all. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Ryan Thompson <ryan@sasknow.com> Network Administrator, Accounts SaskNow Technologies - http://www.sasknow.com #106-380 3120 8th St E - Saskatoon, SK - S7H 0W2 Tel: 306-664-3600 Fax: 306-664-1161 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0108161250290.1353-100000>