From owner-freebsd-questions Tue Jul 30 6:36:56 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0645637B400 for ; Tue, 30 Jul 2002 06:36:53 -0700 (PDT) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CBD743E42 for ; Tue, 30 Jul 2002 06:36:52 -0700 (PDT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id g6UDacB62908; Tue, 30 Jul 2002 08:36:38 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20020730083636.011ab608@mail.sage-one.net> X-Sender: jackstone@mail.sage-one.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Tue, 30 Jul 2002 08:36:36 -0500 To: robert Backhaus , Mark Pearce , freebsd-questions@FreeBSD.ORG From: "Jack L. Stone" Subject: Re: ipfw weirdness In-Reply-To: <20020730132534.52905.qmail@web12902.mail.yahoo.com> References: <20020730143133.217d5d2d.mark@netchat.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 06:25 AM 7.30.2002 -0700, robert Backhaus wrote: >Your suggested rules didn't make alot of sense to me. > >--- Mark Pearce wrote: >> Hi all >> >> I have the following situation, I have a client >> behind my box running exchange, and they are getting >> spammed to death, I want to disallow all incoming >> traffic to their box, but allow incoming traffic >> from their secondries only, the secondries are not >> getting spammed at this moment. >> >> I am running a ipfw / natd combination >> >> My default ruleset is allow all >> I run the command >> >> ipfw add allow 200 tcp from 196.x.x.x to 196.x.x.y >> 25 > >thsi would allow comunication between 2 machines. It >is matching packets from machine 196.x.x.x to machine >196.x.x.y, not packets involving the range. if these >are both on the same subnet and don't go through your >router, this rule should have no effect - the rule >would never trigger. > >> and it effectivly blocks everything coming from >> anywhere even although I have just allowed it, if I >> remove the rule, it works fine again. >> >> If I run the rule >> ipfw add 200 deny tcp from not 196.x.x.x to >> 196.x.x.y 25 > >that may kill almost everything - anything coming from >any machine that is not 196.x.x.x to 196.x.x.y on port >25. > >Maybe I've got something wrong, in which case i would >LOVE to be corrected. > > it works on the port, but blocks all >> other traffic which is not what I had in mind. >> >> What am I overlooking here. >> >> Help >> >> Mark >> >I think your after ipfw add 200 deny tcp from any to >196.x.x.y 25. That would block all mail posting to >it's smtp. > > ....also, is the rule inserted before or after your "divert" rule....??? Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message