Date: Wed, 26 Feb 1997 16:24:16 -0800 (PST) From: "Jonathan M. Bresler" <jmb> To: brandon@cold.org (Brandon Gillespie) Cc: freebsd-questions@freebsd.org Subject: Re: ipfw rules problems (NOT operator?) Message-ID: <199702270024.QAA14443@freefall.freebsd.org> In-Reply-To: <Pine.NEB.3.95.970226143851.3510A-100000@cold.org> from "Brandon Gillespie" at Feb 26, 97 02:40:06 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Gillespie wrote: > > > Brandon, > > it seems to me that "deny all not from ${onet}:${omask} to any" > > is the same as "allow all from ${onet}:${omask} to any" > > > > why not: > > > > allow packets from 206.81.134.0 > > allow packets "filter based on protocol and port" > > drop all other packets > > > > do i not understand what you wish to achieve? > > in short it is not clear to me what packets you want to allow > > They are SORTOF equivalent, _except_ for I want to further add additional > rules. When the packet matches 'allow all from blah' it drops out of the > rule checking, and isn't effected anymore. This is NOT what I want--I > want to further check for ports and protocols. then write those rules and do not write an "allow all from ${onet}:${omask} to any" rule. how about telling us what effect you want? for instance allow telnet from the inside to ___, but no incoming telnet connections. allow pasv ftp. dont allow any icmp. etc... jmb
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702270024.QAA14443>