From owner-freebsd-questions@freebsd.org Fri Apr 22 19:16:51 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B100DB1977E for ; Fri, 22 Apr 2016 19:16:51 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 91FE611F5 for ; Fri, 22 Apr 2016 19:16:51 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 9152EB1977D; Fri, 22 Apr 2016 19:16:51 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 90F26B1977C for ; Fri, 22 Apr 2016 19:16:51 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 202C011F4 for ; Fri, 22 Apr 2016 19:16:51 +0000 (UTC) (envelope-from odhiambo@gmail.com) Received: by mail-wm0-x231.google.com with SMTP id n3so40965512wmn.0 for ; Fri, 22 Apr 2016 12:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2O7wfgzG0tYBU7BAhUQrfZMmg8MetlncPNc6BaCtV7g=; b=Ed7+OssoFeDSfV9QOXAT8p7jPgDBD7D/5+Ar9W0OV5jAGkmULoHv621Y/dvTZxFIM6 YJKn/zmYnfcPez8zlmCvx7qDg7/oQP4GMnCfCGGS/GT/UTlFQPjSWHlhI0Xine/sGPzA lb2+x0+l9czk9z/nlrgTqo3g8KUdG+sawJ5j0dNXoi1daBiQq1RXp0YCA5iPnOkO2+e3 0YCrkFubZOR6v8qgWelnFTWi5vZdudKrQMDGLdoQ28aVUFGeUiXgmjbRXwCmF+Nfxn3H MXw1Vaapp4bdls9Rr5ai5PmAJ/uUDR3A+K0duT74wX/gARXubN2ysDZNtxDdqSrfvtka 7Zkg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2O7wfgzG0tYBU7BAhUQrfZMmg8MetlncPNc6BaCtV7g=; b=Wm6mmd0dnia8OXtxcP0FuGeq1XO8gfldAvvetmLQ6AiycdylM+mlBiX/0z7ijYH4hy uDUDKbAfKsjMdUfvl6H+XYvJYdSxkajb1R0D6u/8+qIPSHQ/ALrgIAiGATefL4mH/1WC 0g9YJ6V78Z16aPiGkV0HU64KjWHFAOSb3udv6w3ziQ6pxqg0ytVfhVUEQRYCTG4XfP7p 8nvCqzvUGMzWYKCDi/tB/G/RGEfQS68mwicrJKYfnfEf5OxdzTHXviZmrjMPz0jb4yoi MfyM3K4BLiJXvaZxo2pj8QGNay0mM4ELTNlxtYHhob0/V9ZHXrz8Q227MPfC+mBtMdq3 L08A== X-Gm-Message-State: AOPr4FURp6ce9zsjblkvTgltsxPWuGRd8MocXmOsLq1ZNuhYRPctwwGrH8TP36eyLjJun1mmRHt3U7q1jt/Mxw== X-Received: by 10.28.236.88 with SMTP id k85mr5592831wmh.53.1461352609733; Fri, 22 Apr 2016 12:16:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.103.233 with HTTP; Fri, 22 Apr 2016 12:16:10 -0700 (PDT) In-Reply-To: References: From: Odhiambo Washington Date: Fri, 22 Apr 2016 22:16:10 +0300 Message-ID: Subject: Re: IPFW rules To: sathiyaraj v Cc: questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.21 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Apr 2016 19:16:51 -0000 On 22 April 2016 at 19:09, sathiyaraj v wrote: > Hi Team, > > I want to understand the IP firewall rules. Consider the below > rule > > ipfw allow tcp/udp from any to me > What this rule will do? what "me" refers here? Is it IP address of my > system that apply firewall rules? or MAC address of the interface? > It will allow all packets from the wild destined to your IP address. Your public IP address in this case. Assumming you do not need to protect your host from your LAN hosts. > > I am using 4.2 freebsd stack. > I don't know what that is, sorry. Is it FreeBSD 4.2 or IPFW version? > > I am trying to deny the packets which doesn't contain the IP and port of my > destiantion. > You do not have to worry about those. They will NOT reach your host if they con't contain it's IP address! > > My source IP is 171.21.47.100 > My Destination IP is : 171.21.47.128 > What does that mean? Is .128 your default gateway or another host on the same subnet you want to reach from .100? > > I want to deny the tcp/udp packets which does not contain destination IP? > Wuah! > What rule should I use to deny the packets? > ipfw deny tcp/udp from any to !171.21.47.128 > > Already I have tried to configure the flags ACCEPT ,DSTMSK, dstip and port > number as well. But the packets are not getting dropped. > Can you please help me to achieve the above scenario? What flag I need to > set to achieve this? > > if you want the source code of my rule setting I can share. > > You really must RTFM. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."