Date: Tue, 26 Feb 2008 20:51:08 -0800 From: Julian Elischer <julian@elischer.org> To: steve13th <anderssl@purdue.edu> Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Established and Outside Traffic Problem Message-ID: <47C4EC3C.7@elischer.org> In-Reply-To: <15704943.post@talk.nabble.com> References: <15704943.post@talk.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
steve13th wrote: > Given: > Running FREEBSD > > What I want to do: > I am attempting to disable the following things: > Note H= host octet > 1. disable pings > 2. disable traffic originating from networks other than HHH.HH.HHH.0/24 > 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth with > the internet > Status: > I am able to block pings, but I can't have traffic with the internet > > My rules > > ipfw add 1 icmp from any to any icmp 0,8 > ipfw add 2 allow tcp any to any established > ipfw add 3 allow all from HHH.HH.HHH.11/24 to any > > oh where to start.. firstly realise that ipfw is called in every packet arraiving in every interface and every packet leaving on every interface. you probably want to limit processing to packets coming and going on some interface. Assume em0 is your outside interface.. #divide up traffic to that we are interested in and that we are not ipfw add 10 skipto 100 ip from any to any in recv em0 ipfw add 11 skipto 200 ip from any to any out xmit em0 ipfw allow ip from any to any # incoming packets from the outside ipfw add 100 drop ip from 127.0.0.0/8 to any ipfw add 101 drip ip from any to 127.0.0.0/8 ipfw add 110 drop icmp from any to any icmp 0,8 ipfw add 120 check-state [ add any other packets descriptions for incoming packets you may want to accept] ipfw add 190 drop ip from any to any # outgoing packets to the outside ipfw add 200 ipfw allow ip from any to any keep-state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47C4EC3C.7>