From owner-freebsd-questions Mon Sep 22 19:49:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA10211 for questions-outgoing; Mon, 22 Sep 1997 19:49:20 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id TAA10205 for ; Mon, 22 Sep 1997 19:49:16 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id TAA14267; Mon, 22 Sep 1997 19:48:27 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma014263; Mon Sep 22 19:48:15 1997 Received: (from archie@localhost) by bubba.whistle.com (8.8.5/8.6.12) id TAA25843; Mon, 22 Sep 1997 19:48:15 -0700 (PDT) From: Archie Cobbs Message-Id: <199709230248.TAA25843@bubba.whistle.com> Subject: Re: IPFW recv and xmit In-Reply-To: <199709222048.RAA28707@srv1-bsb.gns.com.br> from Mario Sergio Fujikawa Ferreira at "Sep 22, 97 05:51:48 pm" To: lioux@gns.com.br (Mario Sergio Fujikawa Ferreira) Date: Mon, 22 Sep 1997 19:48:15 -0700 (PDT) Cc: freebsd-questions@FreeBSD.ORG, raulxn@linf.unb.br, tada@linf.unb.br X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Mario Sergio Fujikawa Ferreira writes: > I would like some clarification on ipfw. I am used to writing normal > rules. > However, I am trying to write rules that use both recv and xmit. > I know how ipfw builds the rules priority: from 1 to 65535, in order. > However, I would like to know how it handles packets. Here is an > hypothetical example. > > Internet <-vx0 (164.40.40.26)->Firewall<-vx1 (164.40.41.1)-> Net > (164.40.41.0/25) > > How does it handle a packet from 164.40.38.1 to 164.40.41.6? > Does it check it when it goes in vx0? Another when out vx0? In vx1? Out > vx1? > Or not? All the above? Whatever you want :-) The stuff at the end of the ipfw rules says when to APPLY the rule. When the rule is applied to a packet, and the packet matches the rule, then the action is taken. To apply a rule when a packet is: You add: -------------------------------- ------- Received on interface if0 recv if0 Transmitted on interface if0 xmit if0 Received OR transmitted on interface if0 via if0 Received on interface if0 AND transmitted on interface if1 recv if0 xmit if1 Received OR transmitted on ANY interface > Let's say I want a machine 164.40.41.2 to only accept smtp connections > from the internet, just for example. Are these correct? I am having trouble > to understand the semantics when writing rules with recv and xmit. > > ipfw add reject tcp from 164.40.41.0/24 to any in recv vx0 > (later - 1) > ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1 > xmit vx0 setup > ipfw add allow tcp from any 1024-65535 to 164.40.41.2/32 25 out recv vx1 > xmit vx0 setup > ipfw add allow tcp from 164.40.41.2/32 25 to any 1024-65535 out recv vx0 > xmit vx1 established > > I know these are not working. Should I add these rules on the (later -1) > label? > > ipfw add allow from any to 164.40.41.0/24 in recv vx0 > ipfw add allow from 164.40.41.0/24 to any in recv vx1 > > I would like to keep the recv/xmit rules. Which mistakes am I making? Your first rule is going to stop ALL incoming TCP packets. Therefore, it doesn't matter what the other rules do. Maybe you want something like this if you're trying to protect the 164.40.41.2 machine: 1000 allow tcp from any to 164.40.41.2 25 recv vx0 1010 reject tcp from any to 164.40.41.2 This will allow SMTP connections, but no others. Other machines are not protected, however. It's safer to selectively open holes and block everything else, eg.: 1000 allow tcp from any to 164.40.41.2 25 1000 allow tcp from 164.40.41.2 25 to any established ... 65535 deny ip from any to any -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com