From owner-freebsd-questions@FreeBSD.ORG Wed Feb 4 11:20:52 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5384416A4CE for ; Wed, 4 Feb 2004 11:20:52 -0800 (PST) Received: from mail.relia.net (mail.relia.net [207.173.156.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F4D943D1F for ; Wed, 4 Feb 2004 11:20:12 -0800 (PST) (envelope-from joe@joe-lewis.com) Received: from customercare.relia.net ([207.173.156.19] helo=joe-lewis.com) by mail.relia.net (Exim 4.24 #1 (FreeBSD 4.7)) protocol: esmtp id 1AoSZH-000Ms0-12 ; Wed, 04 Feb 2004 12:20:11 -0700 Message-ID: <402146E8.8000701@joe-lewis.com> Date: Wed, 04 Feb 2004 12:24:24 -0700 From: Joe Lewis User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Marwan Sultan , freebsd-questions@FreeBSD.ORG References: <20040203195904.M73395@kifco.net> In-Reply-To: <20040203195904.M73395@kifco.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw rules help. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2004 19:20:52 -0000 Marwan Sultan wrote: > a) lets say I want to deny everything except a range of IPs > starting from 192.168.1.1 to 192.168.1.50. > what rule set should be? how to set range of IPs? to pass > and deny rest of the C class. FreeBSD Doc's doesnot cover this? > or i didnot see.! I would set a default to deny, then poke holes through it for the stuff you need, such as add allow ip from 192.168.1.1/5 to any add allow ip from any to 192.168.1.1/5 (which sets up to use 1.1 to 1.32). That netmask is your best friend. > b) If i want to deny everything except ip 192.168.1.5 as follow > 00400 allow all from 192.168.1.5 to any > 01000 deny all from any to any. > > when ipfw reads the rules and pass by 00400 then comes to 01000 > then it denies even the 192.168.1.5, althou i put this rule before the > deny ? what im missing? how should i pass 1 ip and deny all? It means something didn't even check it with rule 400. This can be due to an IPDIVERT thing changing the address so it doesn't match, or something similar. > c) If I want rule 00400 to expire in 9PM and be active in 8AM.(EXAMPLE) > how do we do that? is it by set a cron job to delete and add > the ipfw rule? or there is something to do from the ipfw it self? cron job. ipfw doesn't have the capability of doing time-based rulesets. Temporary ones are okay, but time based, it can't really handle. > D) Last Q: IF I restart the box all the rules will be reset, > and comes to default. which is reasonable. > How to keep it everytime I restart? > do i create a file somewhere, and i tell my rc.conf for it? > what the rc.conf line should be? and file format? Create or edit the '/etc/rc.firewall'. I would only make the changes to allow a firewall type of 'file', and then make rc.conf reference a file that contains the rules. Or, you can add a startup script in /usr/local/etc/rc.d/ that adds the rules. Joe