From owner-freebsd-questions Sun Jun 30 23:36:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81E7D37B407 for ; Sun, 30 Jun 2002 23:36:39 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id E298943E1A for ; Sun, 30 Jun 2002 23:36:37 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g616aEtD044442; Mon, 1 Jul 2002 07:36:14 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g616a9et044441; Mon, 1 Jul 2002 07:36:09 +0100 (BST) Date: Mon, 1 Jul 2002 07:36:09 +0100 From: Matthew Seaman To: ???? ??????? Cc: questions@FreeBSD.ORG Subject: Re: ipfw: broadcast thing Message-ID: <20020701063609.GA44340@happy-idiot-talk.infracaninophi> References: <20020630212920.GA42452@happy-idiot-talk.infracaninophi> <20020701075031.H5982-100000@sol.chel.skbkontur.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020701075031.H5982-100000@sol.chel.skbkontur.ru> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, Jul 01, 2002 at 07:52:05AM +0600, ???? ??????? wrote: > > > On Sun, Jun 30, 2002 at 11:48:56PM +0600, ???? ??????? wrote: > > > Dear Sirs, > > > > > > for example, rl0 and rl1 are local (non-Internet) interfaces. > > > > > > (I'm going to switch to stateful rules soon, but for now I've configured > > > stateless firewall): > > > > > > ipfw add 100 allow ip from me to any > > > ipfw add 200 allow ip from any to me via rl0 > > > ipfw add 200 allow ip from any to me via rl1 > > > > > > that's simple, that's good, I even like it:) > > > but such configuration doesn't pass broadcast packets: > > > > > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > > 255.255.255.255:520 in via rl1 > > > Jun 30 23:42:43 sol /kernel: ipfw: 104 Deny UDP 192.168.100.28:138 > > > 192.168.100.255:138 in via rl0 > > > Jun 30 23:43:14 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > > 255.255.255.255:520 in via rl1 > > > Jun 30 23:43:45 sol /kernel: ipfw: 104 Deny UDP 192.168.200.3:520 > > > 255.255.255.255:520 in via rl1 > > > > > > > > > can anybody help me with "allow"ing broadcast traffic ?? > > > > If you know what the IP address is on each of your interfaces, it more > > efficient to quote it explicitly in your IPFW rulesets. You can also > > change the filter to take account of the local network number and > > netmask, which will allow broadcast packets as well: > > > > ipfw add 100 allow ip from 192.168.100.28 to any > > ipfw add 150 allow ip from 192.168.200.3 to any > > ipfw add 200 allow ip from any to 192.168.100.0/24 via rl0 > > ipfw add 250 allow ip from any to 192.168.200.0/24 via rl1 > > no, I don't want to pass "from any to any", I just want to pass > "from me to any" + "from any to me" + "broadcast things" (no matter > what is the mean of broadcast, RIP, SMB or whatever) What I wrote is very different to a 'from any to any' rule. Try: ipfw add 100 allow ip from 192.168.100.28 to any ipfw add 150 allow ip from 192.168.200.3 to any ipfw add 200 allow ip from any to 192.168.100.28 via rl0 ipfw add 250 allow ip from any to 192.168.200.3 via rl1 ipfw add 300 allow ip from any to 192.168.100.255 via rl0 ipfw add 350 allow ip from any to 192.168.200.255 via rl1 or if you want to get really strict about it: ipfw add 100 allow ip from 192.168.100.28 to any out via rl0 ipfw add 150 allow ip from 192.168.200.3 to any out via rl1 ipfw add 200 allow ip from any to 192.168.100.28 in via rl0 ipfw add 250 allow ip from any to 192.168.200.3 in via rl1 ipfw add 300 allow ip from any to 192.168.100.255 in via rl0 ipfw add 350 allow ip from any to 192.168.200.255 in via rl1 Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message