From owner-freebsd-questions Fri Jan 11 0: 2:10 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.com-con.com (mail.com-con.com [212.6.142.10]) by hub.freebsd.org (Postfix) with ESMTP id C52A237B402 for ; Fri, 11 Jan 2002 00:02:01 -0800 (PST) Received: from Exchange2000.com-con.ag (exchange2000.com-con.net [212.6.164.8]) by mail.com-con.com (8.9.3/8.9.3/ComCon-20000118) with ESMTP id KAA21668; Fri, 11 Jan 2002 10:17:22 +0100 Subject: AW: AW: firewalling with ipfw Date: Fri, 11 Jan 2002 09:01:29 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="KOI8-R" Content-Transfer-Encoding: quoted-printable X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: AW: firewalling with ipfw content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 Thread-Index: AcGZoHa2vUdmado+SDKd6+GEbAd/DAA0121Q From: "Heimes, Rene" To: Cc: Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi rocky, when applying your suggestion i get the following error: ipfw: error: hostname ``A.B.C.21,A.B.C.126'' unknown what?s wrong, what more information do you need? -----Ursprungliche Nachricht----- Von: Roger 'Rocky' Vetterberg [mailto:listsub@rambo.simx.org] Gesendet: Donnerstag, 10. Januar 2002 07:36 An: Heimes, Rene Cc: freebsd-questions@FreeBSD.ORG Betreff: Re: AW: firewalling with ipfw Heimes, Rene wrote: > I do not know how "keep-state" and "skipto" can solve my problems, so i > give you this sample ruleset: >=20 > **************** > * HERE IT COMES * > **************** >=20 > # Low Access Clients > ${fwcmd} add deny log all from any to A.B.C.96=09 > ${fwcmd} add pass udp from A.B.C.96 to any 53=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 80=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.bahn.de 443=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 80=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.spiegel.de 443=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 80=09 > ${fwcmd} add pass tcp from A.B.C.96 to www.gsn.de 443 > ${fwcmd} add pass tcp from A.B.C.96 to any 119 > ${fwcmd} add pass tcp from A.B.C.96 to any 1494 > ${fwcmd} add pass udp from A.B.C.96 to any 1604 > ${fwcmd} add pass icmp from A.B.C.96 to any icmptypes 8 > keep-state > ${fwcmd} add pass icmp from any to A.B.C.96 icmptypes 0 > keep-state >=20 [snip a lot of similar rules] > *************** > * AND THAT?S IT * > *************** >=20 > So you all can pitch into that piece - what can be improved here??? >=20 Why not something like this: # Low Access Clients LAC=3D"A.B.C.96,A.B.C.99,A.B.C.35" ${fwcmd} add deny log all from any to ${LAC} ${fwcmd} add pass udp from ${LAC} to any 53=09 ${fwcmd} add pass tcp from ${LAC} to www.bahn.de 80=09 ... If a "low access client" changes ip, disappears or maybe get=20 promoted to a "high access client" :), all you need to do is=20 remove it from or edit its entry in the LAC=3D line at the top. -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message