From owner-freebsd-net@FreeBSD.ORG Fri Jun 12 06:59:46 2015 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E2E5A903 for ; Fri, 12 Jun 2015 06:59:46 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail.madpilot.net (grunt.madpilot.net [78.47.145.38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9EBF31C1F for ; Fri, 12 Jun 2015 06:59:46 +0000 (UTC) (envelope-from mad@madpilot.net) Received: from mail (mail [192.168.254.3]) by mail.madpilot.net (Postfix) with ESMTP id 3m7Cbf50Lbzbll; Fri, 12 Jun 2015 08:59:42 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=madpilot.net; h= content-transfer-encoding:content-type:content-type:in-reply-to :references:subject:subject:mime-version:user-agent:from:from :date:date:message-id:received:received; s=mail; t=1434092381; x=1435906782; bh=3VHy0W5k4+cL/oXwZhFFDnjK0RI2H/2yFYrwzhAcWTY=; b= LR3q4AFmZCo+qp6agQUuUC/eDL51TCex2IJw/owrbJZnQYuMxnKxcmd2Xq9N10u4 y4qe6Mf9KYLOA42PfzhmrKSMqZB/r2xRwR+jOKd1LPuctRKPvfTlxgoygKX9Rxpc zdB2aAsz4VuNgw06Dk3slDye6/miTsev1mZBvtsTlqM= Received: from mail.madpilot.net ([192.168.254.3]) by mail (mail.madpilot.net [192.168.254.3]) (amavisd-new, port 10024) with ESMTP id lY8tZX5En7a3; Fri, 12 Jun 2015 08:59:41 +0200 (CEST) Received: from tommy.madpilot.net (micro.madpilot.net [88.149.173.206]) by mail.madpilot.net (Postfix) with ESMTPSA; Fri, 12 Jun 2015 08:59:40 +0200 (CEST) Message-ID: <557A835C.1090106@madpilot.net> Date: Fri, 12 Jun 2015 08:59:40 +0200 From: Guido Falsi User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: John Reynolds , freebsd-net@freebsd.org Subject: Re: question on NAT + IPFW References: <557A48A2.4090805@reynoldsnet.org> <557A80F8.1070109@madpilot.net> In-Reply-To: <557A80F8.1070109@madpilot.net> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jun 2015 06:59:47 -0000 On 06/12/15 08:49, Guido Falsi wrote: > On 06/12/15 04:49, John Reynolds wrote: >> >> I have a situation where I need to just simply "block all traffic" from >> some teenagers' mobile devices after a certain period of the day (don't >> ask .... teenagers......). So, would that rule look like this: >> >> $cmd 005 allow all from any to any via xl0 # exclude LAN traffic >> $cmd 010 allow all from any to any via lo0 # exclude loopback traffic >> >> $cmd 020 deny log all from 192.168.1.20 to any via xl0 # new rule >> >> $cmd 100 divert natd ip from any to any in via $pif # NAT any >> inbound packets >> $cmd 101 check-state >> >> (assuming 192.168.1.20 was the internal IP address for the mobile device >> I want to thwart) >> >> Would this accomplish what I'm hoping for? I currently don't have any >> real FW to speak of--ipfw is there but the type is "open," so I'm trying >> to learn as I go along in order to setup an actual firewall for this box >> @ the same time. > > looks correct, assuming xl0 is your internal interface (better put it in > a variable and use the variable in your rules imho) Forgot one thing, working around this block is as easy as changing the machine IP, teenager can learn this easily and it can be done in a lot of ways, even if they are not root(or equivalent) on their machine, they can just boot from a CD with some live OS. You could have a better block by also checking the MAC address, like this: $cmd 021 deny log MAC any 00:aa:00:00:00:00:01 via xl0 (not tested) MAC addresses can be modified too but it's somewhat more difficult. -- Guido Falsi