Date: Wed, 15 Jan 97 14:23:55 CST From: Joe Greco <jgreco@solaria.sol.net> To: ejs@bfd.com (Eric J. Schwertfeger) Cc: nate@mt.sri.com, phk@freebsd.org, current@freebsd.org Subject: Re: ipfw cannot do this... Message-ID: <199701152023.OAA14652@solaria.sol.net> In-Reply-To: <Pine.BSF.3.95.970115111042.1500L-100000@harlie> from "Eric J. Schwertfeger" at Jan 15, 97 11:14:32 am
next in thread | previous in thread | raw e-mail | index | archive | help
> On Wed, 15 Jan 1997, Nate Williams wrote: > > > > I just found out one thing we need in ipfw, the ability to inverse the > > > sense of a rule: > > > > > > ipfw add deny not ip from 140.145.0.0 to any via ed0 > > > ipfw add deny not ip from any to 140.145.0.0 via ed1 > > > ^^^ > > > ipfw add allow tcp from any to any 23 > > > ipfw add allow tcp from any to any 25 > > > ... > > > > > > any takers ? > > > > I'm not sure I follow what you want. What exactly are you trying to do? > > As someone that wants something like this, I think I can answer. Quite a > few times, I've wanted to deny everything but a certain address range, and > then further restrict that address range. > > Actually, what I really want is an ipfw add skip XXX ... where if > something matches the rule, skip all other rules below XXX (yes, I always > number my rules:-) That would work. ipfw gets to be messy when you want to implement both a cleanwall and a firewall... not messy-impossible-to-do, but messy-hard-to-understand-and- read. It gets very tricky to specify: { /* RFC1918 cleanwall */ if ( src = 10.0.0.0/8 || src = 127.0.0.0/8 || src = 172.16.0.0/12 || src = 192.168.0.0/16 ) then drop; if ( dst = 10.0.0.0/8 || dst = 127.0.0.0/8 || dst = 172.16.0.0/12 || dst = 192.168.0.0/16 ) then drop; /* My nets - outbound cleanwall */ if ( outbound_interface = wan0 ) && ( src != 206.55.64.0/20 && src != 204.95.172.0/24 && src != 204.95.219.0/24 ) then drop; if ( outbound_interface = wan0 ) && ( dst = 206.55.64.0/20 || dst = 204.95.172.0/24 || dst = 204.95.219.0/24 ) then drop; /* My nets - inbound cleanwall */ if ( inbound_interface = wan0 ) && ( src = 206.55.64.0/20 || src = 204.95.172.0/24 || src = 204.95.219.0/24 ) then drop; if ( inbound_interface = wan0 ) && ( dst != 206.55.64.0/20 && dst != 204.95.172.0/24 && dst != 204.95.219.0/24 ) then drop; /* My firewall rules */ etc. } There's a lot of logic flow in there. ... Joe ------------------------------------------------------------------------------- Joe Greco - Systems Administrator jgreco@ns.sol.net Solaria Public Access UNIX - Milwaukee, WI 414/342-4847
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701152023.OAA14652>