From owner-freebsd-hackers Wed Sep 18 06:18:40 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id GAA07606 for hackers-outgoing; Wed, 18 Sep 1996 06:18:40 -0700 (PDT) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id GAA07562 for ; Wed, 18 Sep 1996 06:18:36 -0700 (PDT) Message-Id: <199609181318.GAA07562@freefall.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA229552684; Wed, 18 Sep 1996 23:18:04 +1000 From: Darren Reed Subject: Re: IPFW !IP# To: adam@veda.is (Adam David) Date: Wed, 18 Sep 1996 23:18:04 +1000 (EST) Cc: avalon@coombs.anu.edu.au, freebsd-hackers@freebsd.org In-Reply-To: <199609181249.MAA11928@veda.is> from "Adam David" at Sep 18, 96 12:49:31 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In some mail from Adam David, sie said: > > > > # ipfw add deny all from !${my_network}:${my_netmask} to any out via ${gate_if} > > > # ipfw add deny all from any to !${my_network}:${my_netmask} in via ${gate_if} > > > > > > This set of 2 rules would otherwise take 48 rules to enforce for a class C > > > network with a single domain gateway, for instance. > > > > This is just rule writing. > > > > HOw about: > > > > # ipfw add pass all from ${my_network}:${my_netmask} to any out via ${gate_if} > > # ipfw add pass all from any to ${my_network}:${my_netmask} in via ${gate_if} > > # ipfw add deny all from any to any out via ${gate_if} > > # ipfw add deny all from any to any in via ${gate_if} > > > > Darren > > How would you further restrict access to services which match either of these > first 2 rules? This is getting back to 1st principals... Put the rule before the case which I want to create an exception for.