From owner-freebsd-questions@FreeBSD.ORG Sun Apr 27 06:58:26 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C658F37B401 for ; Sun, 27 Apr 2003 06:58:26 -0700 (PDT) Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DEDE43FA3 for ; Sun, 27 Apr 2003 06:58:26 -0700 (PDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com[24.147.188.198]) by rwcrmhc53.attbi.com (rwcrmhc53) with ESMTP id <20030427135825053001a0iae>; Sun, 27 Apr 2003 13:58:25 +0000 Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.9/8.12.7) with ESMTP id h3RDwHPN026856; Sun, 27 Apr 2003 09:58:17 -0400 (EDT) (envelope-from freebsd-questions-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.9/8.12.6/Submit) id h3RDwHrq026853; Sun, 27 Apr 2003 09:58:17 -0400 (EDT) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-questions-local@be-well.ilk.org using -f Sender: lowell@be-well.no-ip.com To: Antoine Jacoutot References: <200304251159.36187.ajacoutot@lphp.org> From: Lowell Gilbert Date: 27 Apr 2003 09:58:17 -0400 In-Reply-To: <200304251159.36187.ajacoutot@lphp.org> Message-ID: <441xzot53a.fsf@be-well.ilk.org> Lines: 38 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: firewall dynamic IP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Apr 2003 13:58:27 -0000 Antoine Jacoutot writes: > In my progress of still learning firewall with ipfw, I have a question. > Can I convert the following rule: > > ${fwcmd} add pass tcp from any to ${oip} 25 setup > > into on of those (which one would be the best, I guess the second one, right > ?): > > ${fwcmd} add pass tcp from any to any via tun0 25 setup > ${fwcmd} add pass tcp from any to me in via tun0 setup Personally, I don't use the "me" rules very much because they're slower, and I have other rules that should be blocking packets that aren't addressed to me. It's probably not a bad idea, though -- a little extra protection. I think the syntax you want is to put the port number right after the address, though. Furthermore, I'd recommend using names instead of numbers for TCP ports, because it makes the setup more readable. ${fwcmd} add pass tcp from any to me telnet in via tun0 setup > I ask this question because I do not have a fixed @ip on the outside interface > so I cannot use the ${oip} (outside @ip) variable. Right. > By the way, is there a difference between: > ${fwcmd} add pass... and ${fwcmd} add allow... ? No difference. Quoting the manual page: allow | accept | pass | permit Allow packets that match rule. The search terminates.