From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 27 07:13:29 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4EC87106566B for ; Wed, 27 Feb 2008 07:13:29 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 2F13D13C447 for ; Wed, 27 Feb 2008 07:13:28 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1JUGTo-00082Z-JM for freebsd-ipfw@freebsd.org; Tue, 26 Feb 2008 23:13:28 -0800 Message-ID: <15707342.post@talk.nabble.com> Date: Tue, 26 Feb 2008 23:13:28 -0800 (PST) From: steve13th To: freebsd-ipfw@freebsd.org In-Reply-To: <47C4EC3C.7@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: anderssl@purdue.edu References: <15704943.post@talk.nabble.com> <47C4EC3C.7@elischer.org> Subject: Re: IPFW Established and Outside Traffic Problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Feb 2008 07:13:29 -0000 THANK YOU. I was trying to use ipfw exactly like iptables. The division of the outgoing and incoming packets make sense. Thanks Again! Julian Elischer wrote: > > steve13th wrote: >> Given: >> Running FREEBSD >> >> What I want to do: >> I am attempting to disable the following things: >> Note H= host octet >> 1. disable pings >> 2. disable traffic originating from networks other than HHH.HH.HHH.0/24 >> 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth >> with >> the internet >> Status: >> I am able to block pings, but I can't have traffic with the internet >> >> My rules >> >> ipfw add 1 icmp from any to any icmp 0,8 >> ipfw add 2 allow tcp any to any established >> ipfw add 3 allow all from HHH.HH.HHH.11/24 to any >> >> > > > oh where to start.. > > firstly realise that ipfw is called in every packet arraiving in every > interface and every packet leaving on every interface. > > you probably want to limit processing to packets coming and going on > some interface. Assume em0 is your outside interface.. > > #divide up traffic to that we are interested in and that we are not > ipfw add 10 skipto 100 ip from any to any in recv em0 > ipfw add 11 skipto 200 ip from any to any out xmit em0 > ipfw allow ip from any to any > > # incoming packets from the outside > ipfw add 100 drop ip from 127.0.0.0/8 to any > ipfw add 101 drip ip from any to 127.0.0.0/8 > ipfw add 110 drop icmp from any to any icmp 0,8 > ipfw add 120 check-state > [ add any other packets descriptions for incoming packets you may want > to accept] > ipfw add 190 drop ip from any to any > > # outgoing packets to the outside > ipfw add 200 ipfw allow ip from any to any keep-state > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- View this message in context: http://www.nabble.com/IPFW-Established-and-Outside-Traffic-Problem-tp15704943p15707342.html Sent from the freebsd-ipfw mailing list archive at Nabble.com.