Date: Wed, 9 May 2001 14:49:18 -0600 (MDT) From: Nate Williams <nate@yogotech.com> To: Michael Sharp <msharp@medmail.com> Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: ipfw Message-ID: <15097.44366.138725.618271@nomad.yogotech.com> In-Reply-To: <20010509200335.7680.cpmta@c000.sfo.cp.net> References: <20010509200335.7680.cpmta@c000.sfo.cp.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[ Try to wrap your lines at 80 chars. please ] > If I do ipfw -f flush I still have rule 65535 deny ip from any to any This is the default rule, and can't be removed. > which allows NOTHING in or OUT. I can add DENY chains all day, but I > cannot add any ALLOW chains unless I put in rule 65000 allow ip from > any to any but this goes at the very top and is the first chain > processed ( which allows ANYTHING in ) even if there are DENY chains > below it. Not true. Rules are processed in order, and if you don't give a rule number I don't know the order that a rule is inserted on the list. 'ipfw list' should show you the process order though. (BTW, what is this talk about 'ALLOW' and 'DENY' chains? I think you're mixing up the FreeBSD implementation with the Linux 'chains' implementation. FreeBSD's implementation is all rule based...) > In /etc/rc.conf, I have firewall_enable="YES" and firewall_type="open" > and still I cannot get rid of that pesky 65535 DENY everything rule > that wont let me do anything unless I add " ipfw add allow ip from any > to any " which allows everything despite ANY DENY chains. If the 'allow/dny' *RULE* is processed before the other rule, then it will take precedence. IPFW processes rules in order from start until it finds a match, and then finishes. If a rule doesn't match, then the next rule will be processed. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15097.44366.138725.618271>