Date: 27 Apr 2003 09:58:17 -0400 From: Lowell Gilbert <freebsd-questions-local@be-well.no-ip.com> To: Antoine Jacoutot <ajacoutot@lphp.org> Cc: freebsd-questions@freebsd.org Subject: Re: firewall dynamic IP Message-ID: <441xzot53a.fsf@be-well.ilk.org> In-Reply-To: <200304251159.36187.ajacoutot@lphp.org> References: <200304251159.36187.ajacoutot@lphp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Antoine Jacoutot <ajacoutot@lphp.org> writes:
> In my progress of still learning firewall with ipfw, I have a question.
> Can I convert the following rule:
>
> ${fwcmd} add pass tcp from any to ${oip} 25 setup
>
> into on of those (which one would be the best, I guess the second one, right
> ?):
>
> ${fwcmd} add pass tcp from any to any via tun0 25 setup
> ${fwcmd} add pass tcp from any to me in via tun0 setup
Personally, I don't use the "me" rules very much because they're
slower, and I have other rules that should be blocking packets that
aren't addressed to me. It's probably not a bad idea, though -- a
little extra protection.
I think the syntax you want is to put the port number right after the
address, though. Furthermore, I'd recommend using names instead of
numbers for TCP ports, because it makes the setup more readable.
${fwcmd} add pass tcp from any to me telnet in via tun0 setup
> I ask this question because I do not have a fixed @ip on the outside interface
> so I cannot use the ${oip} (outside @ip) variable.
Right.
> By the way, is there a difference between:
> ${fwcmd} add pass... and ${fwcmd} add allow... ?
No difference.
Quoting the manual page:
allow | accept | pass | permit
Allow packets that match rule. The search terminates.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?441xzot53a.fsf>