Date: Wed, 18 Sep 1996 12:49:31 +0000 (GMT) From: Adam David <adam@veda.is> To: avalon@coombs.anu.edu.au (Darren Reed) Cc: freebsd-hackers@freebsd.org Subject: Re: IPFW !IP# Message-ID: <199609181249.MAA11928@veda.is> In-Reply-To: <199609180621.GAA26166@veda.is> from Darren Reed at "Sep 18, 96 04:21:01 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> > # ipfw add deny all from !${my_network}:${my_netmask} to any out via ${gate_if}
> > # ipfw add deny all from any to !${my_network}:${my_netmask} in via ${gate_if}
> >
> > This set of 2 rules would otherwise take 48 rules to enforce for a class C
> > network with a single domain gateway, for instance.
>
> This is just rule writing.
>
> HOw about:
>
> # ipfw add pass all from ${my_network}:${my_netmask} to any out via ${gate_if}
> # ipfw add pass all from any to ${my_network}:${my_netmask} in via ${gate_if}
> # ipfw add deny all from any to any out via ${gate_if}
> # ipfw add deny all from any to any in via ${gate_if}
>
> Darren
How would you further restrict access to services which match either of these
first 2 rules?
1. explicitly deny port ranges which are to be disallowed.
2. change the rule specification so that it is possible to pass a rule for
continued checking, but ignore further deny rules of the same granularity.
3. introduce negation of port number logic.
???
--
Adam David <adam@veda.is>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609181249.MAA11928>