Date: Thu, 4 Oct 2001 07:18:35 -0400 From: Louis LeBlanc <leblanc+freebsd@acadia.ne.mediaone.net> To: freebsd-questions@FreeBSD.org Subject: ipfw question - hostname/address spec? Message-ID: <20011004071834.A2458@acadia.ne.mediaone.net>
next in thread | raw e-mail | index | archive | help
Hey all. I have a question about ipfw. I am under the impression
that it is ok to use a dns name for src or dest, as in the following
excerpt from my rc.firewall - IPADDR gets defined correctly, and
NEWS_SERVER is defined as news.ne.mediaone.net:
ipfw add allow tcp from $IPADDR $UNPRIVPORTS to $NEWS_SERVER 119 \
via $EXT_INTERFACE out
ipfw add allow tcp from $NEWS_SERVER 119 to $IPADDR $UNPRIVPORTS \
via $EXT_INTERFACE in established
but I get the following when testing the script:
ipfw: error: hostname ``news.ne.mediaone.net'' unknown
usage: ipfw [options]
[pipe] flush
add [number] rule
[pipe] delete number ...
[pipe] list [number ...]
[pipe] show [number ...]
zero [number ...]
resetlog [number ...]
pipe number config [pipeconfig]
rule: [prob <match_probability>] action proto src dst extras...
action:
{allow|permit|accept|pass|deny|drop|reject|unreach code|
reset|count|skipto num|divert port|tee port|fwd ip|
pipe num} [log [logamount count]]
proto: {ip|tcp|udp|icmp|<number>}
src: from [not] {me|any|ip[{/bits|:mask}]}
[{port|port-port},[port],...]
dst: to [not] {me|any|ip[{/bits|:mask}]}
[{port|port-port},[port],...]
extras:
uid {user id}
gid {group id}
fragment (may not be used with ports or tcpflags)
in
out
{xmit|recv|via} {iface|ip|any}
{established|setup}
tcpflags [!]{syn|fin|rst|ack|psh|urg},...
ipoptions [!]{ssrr|lsrr|rr|ts},...
tcpoptions [!]{mss|window|sack|ts|cc},...
icmptypes {type[,type]}...
pipeconfig:
{bw|bandwidth}
<number>{bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}
{bw|bandwidth} interface_name
delay <milliseconds>
queue <size>{packets|Bytes|KBytes}
plr <fraction>
mask {all| [dst-ip|src-ip|dst-port|src-port|proto] <number>}
buckets <number>}
{red|gred} <fraction>/<number>/<number>/<fraction>
droptail
A similar error dump is generated for each rule using a hostname.
I have opened the dns ports by IP prior to using any hostnames.
Quoting from the handbook at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
. . .
The syntax used to specify an address/mask is:
address
or
address/mask-bits
or
address:mask-pattern
A valid hostname may be specified in place of the IP address.
. . .
So this last says a hostname is ok.
Anyone have any ideas? I'm still confused. Thanks for any help.
Lou
--
Louis LeBlanc leblanc@acadia.ne.mediaone.net
Fully Funded Hobbyist, KeySlapper Extrordinaire :)
http://acadia.ne.mediaone.net ԿԬ
Juall's Law on Nice Guys:
Nice guys don't always finish last; sometimes they don't finish.
Sometimes they don't even get a chance to start!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011004071834.A2458>