From owner-freebsd-hackers Wed Sep 18 05:50:54 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id FAA21454 for hackers-outgoing; Wed, 18 Sep 1996 05:50:54 -0700 (PDT) Received: from veda.is (root@ubiq.veda.is [193.4.230.60]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id FAA21243 for ; Wed, 18 Sep 1996 05:50:17 -0700 (PDT) Received: (from adam@localhost) by veda.is (8.7.5/8.7.3) id MAA11928; Wed, 18 Sep 1996 12:49:34 GMT From: Adam David Message-Id: <199609181249.MAA11928@veda.is> Subject: Re: IPFW !IP# To: avalon@coombs.anu.edu.au (Darren Reed) Date: Wed, 18 Sep 1996 12:49:31 +0000 (GMT) Cc: freebsd-hackers@freebsd.org In-Reply-To: <199609180621.GAA26166@veda.is> from Darren Reed at "Sep 18, 96 04:21:01 pm" X-Mailer: ELM [version 2.4ME+ PL22 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > # ipfw add deny all from !${my_network}:${my_netmask} to any out via ${gate_if} > > # ipfw add deny all from any to !${my_network}:${my_netmask} in via ${gate_if} > > > > This set of 2 rules would otherwise take 48 rules to enforce for a class C > > network with a single domain gateway, for instance. > > This is just rule writing. > > HOw about: > > # ipfw add pass all from ${my_network}:${my_netmask} to any out via ${gate_if} > # ipfw add pass all from any to ${my_network}:${my_netmask} in via ${gate_if} > # ipfw add deny all from any to any out via ${gate_if} > # ipfw add deny all from any to any in via ${gate_if} > > Darren How would you further restrict access to services which match either of these first 2 rules? 1. explicitly deny port ranges which are to be disallowed. 2. change the rule specification so that it is possible to pass a rule for continued checking, but ignore further deny rules of the same granularity. 3. introduce negation of port number logic. ??? -- Adam David