Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 4 Oct 2001 07:18:35 -0400
From:      Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net>
To:        freebsd-questions@FreeBSD.org
Subject:   ipfw question - hostname/address spec?
Message-ID:  <20011004071834.A2458@acadia.ne.mediaone.net>

next in thread | raw e-mail | index | archive | help
Hey all.  I have a question about ipfw.  I am under the impression
that it is ok to use a dns name for src or dest, as in the following
excerpt from my rc.firewall - IPADDR gets defined correctly, and
NEWS_SERVER is defined as news.ne.mediaone.net:

ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \
           via $EXT_INTERFACE out

ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \
           via $EXT_INTERFACE in  established

but I get the following when testing the script:

ipfw: error: hostname ``news.ne.mediaone.net'' unknown
usage: ipfw [options]
    [pipe] flush
    add [number] rule
    [pipe] delete number ...
    [pipe] list [number ...]
    [pipe] show [number ...]
    zero [number ...]
    resetlog [number ...]
    pipe number config [pipeconfig]
  rule: [prob <match_probability>] action proto src dst extras...
    action:
      {allow|permit|accept|pass|deny|drop|reject|unreach code|
       reset|count|skipto num|divert port|tee port|fwd ip|
       pipe num} [log [logamount count]]
    proto: {ip|tcp|udp|icmp|<number>}
    src: from [not] {me|any|ip[{/bits|:mask}]}
[{port|port-port},[port],...]
    dst: to [not] {me|any|ip[{/bits|:mask}]}
[{port|port-port},[port],...]
  extras:
    uid {user id}
    gid {group id}
    fragment     (may not be used with ports or tcpflags)
    in
    out
    {xmit|recv|via} {iface|ip|any}
    {established|setup}
    tcpflags [!]{syn|fin|rst|ack|psh|urg},...
    ipoptions [!]{ssrr|lsrr|rr|ts},...
    tcpoptions [!]{mss|window|sack|ts|cc},...
    icmptypes {type[,type]}...
  pipeconfig:
    {bw|bandwidth}
<number>{bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}
    {bw|bandwidth} interface_name
    delay <milliseconds>
    queue <size>{packets|Bytes|KBytes}
    plr <fraction>
    mask {all| [dst-ip|src-ip|dst-port|src-port|proto] <number>}
    buckets <number>}
    {red|gred} <fraction>/<number>/<number>/<fraction>
    droptail

A similar error dump is generated for each rule using a hostname.

I have opened the dns ports by IP prior to using any hostnames.

Quoting from the handbook at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html

. . .

The syntax used to specify an address/mask is:

address

or

address/mask-bits

or

address:mask-pattern


A valid hostname may be specified in place of the IP address.
. . .

So this last says a hostname is ok.

Anyone have any ideas?  I'm still confused.  Thanks for any help.
Lou
-- 
Louis LeBlanc       leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net                 ԿԬ

Juall's Law on Nice Guys:
  Nice guys don't always finish last; sometimes they don't finish.
  Sometimes they don't even get a chance to start!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004071834.A2458>