Date: Tue, 7 Jan 1997 16:14:09 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: proff@suburbia.net Cc: brandon@cold.org, security@freebsd.org Subject: Re: FreeBSD as a cleanwall Message-ID: <199701070514.VAA28796@freefall.freebsd.org> In-Reply-To: <19970106231249.23462.qmail@suburbia.net> from "proff@suburbia.net" at Jan 7, 97 10:12:49 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from proff@suburbia.net, sie said: > > > Does anybody have a configuration for packet filtering through a FreeBSD > > router to run a cleanwall? Basically to keep all addresses of a specific > > IP set (say a class C) on the right sides. I.e. only set addresses of > > that set leave the network and don't allow any addresses of that set onto > > the network? I'm mulling through the docs now, but figured to look here > > for any possible pointers, as this seems like it would be a common enough > > operation.. > > > what you want is something like: > > # ipfw add pass all from 10.1.2.1 to any in via ed0 > # ipfw add pass all from to 10.1.2.1 out via ed0 > # ipfw add deny all from 10.1.2.0/24 to any in via ed0 > # ipfw add deny all from any to 10.1.2.0/24 any out via ed0 > > Note that the current ipfw is a little painful, because you can't > distinguish packets to be forwarded and packets to be accepted/sent > to/from the host. Which if used are probably going to be more complex (more rules) and less comprehensive (unless you include all of the above). You should be protecting the host as well as the network from the host. > If you are running my ipfw patches, you can (mostly) get avoid this > by using: ... Jullian, you really should seaparate this functionality out of ipfw. For the most part, it has no relevance to the orgiinal context of ipfw. Maybe you should write ipfws (IP firewall sockets) or similar ? (Makes good sense to me ... :-) Darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701070514.VAA28796>