From owner-freebsd-questions  Wed Feb 26 13:03:40 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA03102
          for questions-outgoing; Wed, 26 Feb 1997 13:03:40 -0800 (PST)
Received: (from jmb@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA03088;
          Wed, 26 Feb 1997 13:03:34 -0800 (PST)
From: "Jonathan M. Bresler" <jmb>
Message-Id: <199702262103.NAA03088@freefall.freebsd.org>
Subject: Re: ipfw rules problems (NOT operator?)
To: brandon@cold.org (Brandon Gillespie)
Date: Wed, 26 Feb 1997 13:03:34 -0800 (PST)
Cc: freebsd-questions@freebsd.org
In-Reply-To: <Pine.NEB.3.95.970226114513.3174A-100000@cold.org> from "Brandon Gillespie" at Feb 26, 97 11:51:50 am
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Brandon Gillespie wrote:
> 
> I have need for a 'not' operator with ipfw--or at least I do based off my
> minimal knowledge of ipfw rules (from the man pages) and what I need.  To
> explain... My network topology uses two 'walls':
> 
>                 :                     |
>     Internet => : => Local Network => | => Secure Network
>                 :                     |
>             Cleanwall              Firewall
> 
> Basically, the cleanwall is just our Cisco router, which is setup to deny
> spoofing and to drop anything from 192.168.0 on the floor.  Most of the
> workstations in the building are on the Local network.  The secure network
> will contain our database systems.  I'm working on setting up a FreeBSD
> box as the Firewall.  I want the firewall to deny all packets that are NOT
> from our IP domain (206.81.134.0).  I was hoping for a rule with ipfw (and
> I couldn't find it) like:
> 
>    ipfw add deny all NOT from ${onet}:${omask} to any from ${oif}
> 
> An alternative I have considered is to simply allow any from $onet, and
> deny everything else--but this rule would drop it out immediately, so I
> couldn't further filter based on protocol and port.

Brandon,
	it seems to me that "deny all not from ${onet}:${omask} to any"
	is the same as "allow all from ${onet}:${omask} to any"

	why not:

	allow packets from 206.81.134.0
	allow packets "filter based on protocol and port"
	drop all other packets

	do i not understand what you wish to achieve?
	in short it is not clear to me what packets you want to allow
jmb