Date: Wed, 24 Sep 1997 09:02:23 +0200 (SAT) From: Reinier Bezuidenhout <rbezuide@oskar.nanoteq.co.za> To: brandon@roguetrader.com (Brandon Gillespie) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Using 'ipfw' but still allowing access to the net devices.. Message-ID: <199709240702.JAA02818@oskar.nanoteq.co.za> In-Reply-To: <Pine.BSF.3.96.970923153119.1744A-100000@roguetrader.com> from Brandon Gillespie at "Sep 23, 97 03:34:50 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi ... > Just curious, how do I use 'ipfw' AND a routing daemon? I need my > 'firewall' to also talk some routing protocol (any protocol, RIP if need > be), but when I run routed or gated I get permission denied, because ipfw > isn't allowing it on the local machines. If I add the rule: > If security isn't your highest priority you could just add ipfw 1000 accept udp from any 520 to any 520 And that should do the trick. You can also be much more restrictive in your rules by doing the following. e.g. ## For the startup of the routing daemon, daemon request a direct ## reply from other routing daemons ipfw add 1000 accept udp from any 520 to (local-IP-1) 520 in recv (interface-1) ipfw add 1001 accept udp from any 520 to (local-IP-2) 520 in recv (interface-2) . . ipfw add 100X accept udp from any 520 to (local-IP-X) 520 in recv (interface-X) # After the startup, it will be broadcasts on the sub-net ipfw add 2001 accept udp from any 520 to (subnet-bradcast-ip) in recv (intrf-1) ipfw add 2002 accept udp from any 520 to (subnet-bradcast-ip) in recv (intrf-2) . . ipfw add 200X accept udp from any 520 to (subnet-bradcast-ip) in recv (intrf-X) ##If you know where the routing info is coming from, you could also ##change the "any" in the above rules to those machine(s) specific ##IP's and make in even more restrictive, although you could also ##configure gated to only accept RIP info from certain machines ##The above rules are for incoming packets, ##but you also have to allow outgoing packets ##on which you could be much less restrictive as you trust your own machine ##(hopefully :) ) ipfw add 3000 accept udp from any 520 to any 520 out xmit (interface-1) ipfw add 3001 accept udp from any 520 to any 520 out xmit (interface-2) . . ipfw add 300X accept udp from any 520 to any 520 out xmit (interface-X) ## IMPORTANT -- it is important to note that some hardware routers, ## I think Welfleets maybe .. doesn't broadcast routing info on the ## local subnet broadcast, but on the general broadcast 255.255.255.255 ## - or it might be that the times I saw it, they were configured ## wrongly. ## An example for a machine having 2 interface ## 2.2.2.2 Class C (ed1) and 1.1.1.2 Class C (ed0) would be ## Incoming ipfw add 1000 accept udp from any 520 to 1.1.1.2 in recv ed0 ipfw add 1001 accept udp from any 520 to 2.2.2.2 in recv ed1 ipfw add 2001 accept udp from any 520 to 1.1.1.255 in recv ed0 ipfw add 2002 accept udp from any 520 to 2.2.2.255 in recv ed1 ## To cater for some routers ipfw add 3001 accept udp from any 520 to 255.255.255.255 in recv ed0 ipfw add 3002 accept udp from any 520 to 255.255.255.255 in recv ed1 ## Outgoing ipfw add 2000 accept udp from any 520 to 1.1.1.255 520 out xmit ed0 ipfw add 2001 accept udp from any 520 to 2.2.2.255 520 out xmit ed1 I hope this helps Reinier Bezuidenhout ################################################################### # # # R.N. Bezuidenhout NetSeq Firewall # # rbezuide@oskar.nanoteq.co.za http://www.nanoteq.co.za # # # ###################################################################
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199709240702.JAA02818>