From owner-freebsd-questions@FreeBSD.ORG  Tue Jul 26 21:26:36 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D30016A41F
	for <freebsd-questions@freebsd.org>;
	Tue, 26 Jul 2005 21:26:36 +0000 (GMT)
	(envelope-from eric@pretorious.net)
Received: from mail.leaguehost.net (node-423a611b.sjc.onnet.us.uu.net
	[66.58.97.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id D135C43D45
	for <freebsd-questions@freebsd.org>;
	Tue, 26 Jul 2005 21:26:35 +0000 (GMT)
	(envelope-from eric@pretorious.net)
Received: from [192.168.1.115] (adsl-69-227-121-18.dsl.scrm01.pacbell.net
	[69.227.121.18])
	by mail.leaguehost.net (Postfix) with ESMTP id 15BC0BF64
	for <freebsd-questions@freebsd.org>;
	Tue, 26 Jul 2005 14:37:43 -0700 (PDT)
From: Eric Pretorious <eric@pretorious.net>
To: freebsd-questions@freebsd.org
User-Agent: KMail/1.7.1
References: <200507261219.08111.eric@pretorious.net>
In-Reply-To: <200507261219.08111.eric@pretorious.net>
MIME-Version: 1.0
Content-Disposition: inline
Date: Tue, 26 Jul 2005 14:01:31 -0700
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <200507261401.31860.eric@pretorious.net>
Subject: Re: ipfw: deny traffic between interfaces
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: eric@pretorious.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2005 21:26:36 -0000

On Tuesday 26 July 2005 12:19 pm, Eric Pretorious wrote:
>I'm using FreeBSD 4.10 as a masquerading firewall for three private networks 
>and want to restrict traffic between each interface (kind of like VLAN's).

FWIW: This construct *seems* to have the effect that I desire:

  ipfw add 500 deny all from any to any out recv rl0 xmit fxp0
  ipfw add 501 deny all from any to any out recv rl0 xmit sis1
  ipfw add 502 deny all from any to any out recv fxp0 xmit rl0
  ipfw add 503 deny all from any to any out recv fxp0 xmit sis1
  ipfw add 504 deny all from any to any out recv sis1 xmit rl0
  ipfw add 505 deny all from any to any out recv sis1 xmit fxp0

I'm not 100% certain of incoming/outgoing packets and the receive & transmit 
"interfaces", though. (The man page doesn't elaborate on this rule option.)

-- 
Eric P.,
Truckee, CA