Date: Mon, 22 Sep 1997 19:48:15 -0700 (PDT) From: Archie Cobbs <archie@whistle.com> To: lioux@gns.com.br (Mario Sergio Fujikawa Ferreira) Cc: freebsd-questions@FreeBSD.ORG, raulxn@linf.unb.br, tada@linf.unb.br Subject: Re: IPFW recv and xmit Message-ID: <199709230248.TAA25843@bubba.whistle.com> In-Reply-To: <199709222048.RAA28707@srv1-bsb.gns.com.br> from Mario Sergio Fujikawa Ferreira at "Sep 22, 97 05:51:48 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Mario Sergio Fujikawa Ferreira writes: > I would like some clarification on ipfw. I am used to writing normal > rules. > However, I am trying to write rules that use both recv and xmit. > I know how ipfw builds the rules priority: from 1 to 65535, in order. > However, I would like to know how it handles packets. Here is an > hypothetical example. > > Internet <-vx0 (164.40.40.26)->Firewall<-vx1 (164.40.41.1)-> Net > (164.40.41.0/25) > > How does it handle a packet from 164.40.38.1 to 164.40.41.6? > Does it check it when it goes in vx0? Another when out vx0? In vx1? Out > vx1? > Or not? All the above? Whatever you want :-) The stuff at the end of the ipfw rules says when to APPLY the rule. When the rule is applied to a packet, and the packet matches the rule, then the action is taken. To apply a rule when a packet is: You add: -------------------------------- ------- Received on interface if0 recv if0 Transmitted on interface if0 xmit if0 Received OR transmitted on interface if0 via if0 Received on interface if0 AND transmitted on interface if1 recv if0 xmit if1 Received OR transmitted on ANY interface <nothing> > Let's say I want a machine 164.40.41.2 to only accept smtp connections > from the internet, just for example. Are these correct? I am having trouble > to understand the semantics when writing rules with recv and xmit. > > ipfw add reject tcp from 164.40.41.0/24 to any in recv vx0 > (later - 1) > ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1 > xmit vx0 setup > ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1 > xmit vx0 setup > ipfw add allow tcp from 164.40.41.2/32 25 to any 1024-65535 out recv vx0 > xmit vx1 established > > I know these are not working. Should I add these rules on the (later -1) > label? > > ipfw add allow from any to 164.40.41.0/24 in recv vx0 > ipfw add allow from 164.40.41.0/24 to any in recv vx1 > > I would like to keep the recv/xmit rules. Which mistakes am I making? Your first rule is going to stop ALL incoming TCP packets. Therefore, it doesn't matter what the other rules do. Maybe you want something like this if you're trying to protect the 164.40.41.2 machine: 1000 allow tcp from any to 164.40.41.2 25 recv vx0 1010 reject tcp from any to 164.40.41.2 This will allow SMTP connections, but no others. Other machines are not protected, however. It's safer to selectively open holes and block everything else, eg.: 1000 allow tcp from any to 164.40.41.2 25 1000 allow tcp from 164.40.41.2 25 to any established ... 65535 deny ip from any to any -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709230248.TAA25843>