From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 24 08:14:43 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE7F116A4CE for ; Wed, 24 Nov 2004 08:14:43 +0000 (GMT) Received: from smtpauth08.mail.atl.earthlink.net (smtpauth08.mail.atl.earthlink.net [209.86.89.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 41D3243D48 for ; Wed, 24 Nov 2004 08:14:43 +0000 (GMT) (envelope-from martes.wigglesworth@earthlink.net) Received: from [83.170.20.46] (helo=[192.168.3.50]) by smtpauth08.mail.atl.earthlink.net with asmtp (TLSv1:AES256-SHA:256) (Exim 4.34) id 1CWsIR-0003Jl-N0; Wed, 24 Nov 2004 03:14:42 -0500 From: Martes Wigglesworth To: NetAdmin In-Reply-To: <1101256036.22644.69.camel@foxdaemon.com> References: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> <1101256036.22644.69.camel@foxdaemon.com> Content-Type: multipart/mixed; boundary="=-zbYli8D4uvNlmLtvvXdI" Organization: Wiggtekmicro Corporation Message-Id: <1101284098.40685.85.camel@Mobile1.276NET> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Wed, 24 Nov 2004 11:14:58 +0300 X-ELNK-Trace: 532caf459ba90ce6996df0496707a79d9bea09fe345ed53d9ef193a6bfc3dd48552c17b821f5638af2ed6fb11287550989663e5c6b578e64350badd9bab72f9c X-Originating-IP: 83.170.20.46 cc: ipfw-mailings Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: martes.wigglesworth@earthlink.net List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Nov 2004 08:14:43 -0000 --=-zbYli8D4uvNlmLtvvXdI Content-Type: text/plain Content-Transfer-Encoding: 7bit Dude. I think that the multiple ports section is universal, because each section of an ipfw command is programmed into the ipfw syntax. Like a case, in a shell script. So, it would be theoretically redundant to list, for example, how to use multiple ports on tables, when it is already listed for general usage. I am new, as well, however, it is part of my job to deal with this stuff, so I sit here an play with things. I have not gotten to tables, because I have not seen the benefit, as of yet, however, by playing around, I have noticed that many of the features are just arguments that are being sent to a shell command, and can be thought of as such. Like about a month or so, ago, when I was having trouble with brackets because I had forgotten that they were simply used to seperate arguments within the string of arguments. A helpful person indicated that I should use the back-slash in from of the brackets, becaue the shell was reading them independent of the commands that I was trying to pass to ipfw. This may have been overkill, or inaccurate, however, thinking of the different features as complex arguments to a shell command has made things easier when reading through the man page(s). Please, someone correct me if I am completely off of the target with my assumption. It seems to work for me, and I felt that you could benefit from that frame of thought for ipfw. -- Respectfully, M.G.W. System: Asus M6N Intel Dothan 1.7 512MB RAM 40GB HD 10/100/1000 NIC Wireless b/g (not working yet) BSD-5.2.1 GCC-3.3.5/3.3.3(until I replace indigenous gcc) IFORT-for linux(Intell Fortran) gfortran python-2.3 Perl-5.6.1/5.8.5 Java-sdk-1.4.2_5 KDE-3.1.4 --=-zbYli8D4uvNlmLtvvXdI Content-Disposition: inline Content-Description: Forwarded message - Re: IPFW2 tables Content-Type: message/rfc822 Status: U Return-Path: Received: from mx2.freebsd.org ([216.136.204.119]) by bunting.mail.pas.earthlink.net (EarthLink SMTP Server) with ESMTP id 1cwL0F4PW3NZFmR0 for ; Tue, 23 Nov 2004 16:27:49 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id DE017557C5; Wed, 24 Nov 2004 00:27:19 +0000 (GMT) (envelope-from owner-freebsd-ipfw@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 3FD6B16A4CF; Wed, 24 Nov 2004 00:27:19 +0000 (GMT) Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF3D616A4CE for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) Received: from FoxSurfer.Com (dns1.foxsurfer.com [69.90.8.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E52E43D1F for ; Wed, 24 Nov 2004 00:27:16 +0000 (GMT) (envelope-from daemon@foxchat.net) Received: from foxdaemon.com (zapper@rrcs-24-172-9-74.midsouth.biz.rr.com [24.172.9.74]) by FoxSurfer.Com (8.12.11/8.12.11) with ESMTP id iAO0RB1w036930; Tue, 23 Nov 2004 19:27:11 -0500 (EST) (envelope-from daemon@foxchat.net) From: NetAdmin To: tw@wsf.at In-Reply-To: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> References: <20041123232907.gkw44hr838gk48@.mailhost.wsf.at> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-6L4Yxjyhg2ZjrZN4txC0" Date: Tue, 23 Nov 2004 19:27:16 -0500 Message-Id: <1101256036.22644.69.camel@foxdaemon.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: owner-freebsd-ipfw@freebsd.org Errors-To: owner-freebsd-ipfw@freebsd.org X-ELNK-AV: 0 --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Tue, 2004-11-23 at 22:29 +0000, Thomas Wolf wrote: > NetAdmin schrieb: >=20 >=20 > > > > Set rule as; *Note: found there was a problem using table (1) > > > > {fwcmd} add 300 deny ip from table '1' to me > > >=20 > > > The correct syntax that should work under any shell should be > > > {fwcmd} add 300 deny ip from table\(1\) to me > > > or > > > {fwcmd} add 300 deny ip from "table(1)" to me > > >=20 > > >=20 > >=20 > > Great! That worked. Thanks. Now, is there a page I can refer to for > > other commands and syntax like adding multiple ports? =20 >=20 > 'man 8 ipfw' is still the best reference for commands and syntax (IMHO). >=20 >=20 > > I tried the > > following and assume it works. > >=20 > > ${fwcmd} add 301 deny all from "table(2)" to me 20-25,110,113,143 > >=20 > > # ipfw show > > 00301 0 0 deny ip from table(2) to me dst-port > > 20-25,110,113,143 >=20 > That looks ok. Although I would 'unreach host' or 'reset' packets=20 > to ident (port 113). 'Dropping' them just gets you delays when > querying mailservers and other services. >=20 > Thomas I did look at the man page for tables. The only thing really mentioned is; ipfw table number add addr[/masklen] [value] ipfw table number delete addr[/masklen] ipfw table number flush ipfw table number list and=20 LOOKUP TABLES Lookup tables are useful to handle large sparse address sets, typically from a hundred to several thousands of entries. There could be 128 dif- ferent lookup tables, numbered 0 to 127. etc... etc... Make no mistake, I appreciate your help immensely and unless someone else had responded, I would still be wondering what I needed to do. However, I have checked the sources commonly available to newer users including searches on google. Having said that, no where in 'man 8 ipfw' does it say how to add multiple ports in conjunction with Tables or the correct syntax for adding the table to rc.firewall. Tables for IPFW isn't even mentioned in http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html That is why I asked if anyone knew of any other sources of information on Tables and their syntax. It is what I am still asking. Where can I find more information on using tables with IPFW? Respectfully, Mark --=-6L4Yxjyhg2ZjrZN4txC0 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBo9VkNirmlL8R/7sRAtw4AJ937LxHNzfnZfsfmodQ/MKxmcCzIwCgjV+0 rxmIVhNn0cZ2m01u5WO0kNI= =uspW -----END PGP SIGNATURE----- --=-6L4Yxjyhg2ZjrZN4txC0-- --=-zbYli8D4uvNlmLtvvXdI--