Site Navigation

Date:      Thu, 4 Jan 2001 05:32:37 -0800 (PST)
From:      Jon Simola <jon@abccom.bc.ca>
To:        ipfw@freebsd.org
Subject:   Indexing IPFW rule
Message-ID:  <Pine.BSF.3.96.1010104052129.462T-200000@newmail.netbistro.com>

---

next in thread | raw e-mail | index | archive | help

---

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--0-1679715968-978615157=:462
Content-Type: TEXT/PLAIN; charset=US-ASCII


I have a bridging firewall in place, and I needed to be able to allow and deny
traffic from single IPs and change whether they're allowed or denied rather
quickly. Looking through the IPFW code at the skipto rule, I figured it
couldn't be too hard. This (very rough) code actually does the job (albeit in
only one direction currently).

It's designed to be used like:

ipfw add 9000 index 10000 ip from any to 192.168.0.0/24 in recv rl0
# make sure you don't fall through into this block of rules
ipfw add 10001 allow ip from any to any   # 192.168.0.1 will be thrown here
ipfw add 10002 deny ip from any to any   # 192.168.0.2 will be thrown here
# skip a few for readability
ipfw add 10254 deny ip from any to any   # 192.168.0.254 will be thrown here 
ipfw add 10255 allow ip from any to any   # 192.168.0.255 will be thrown here


Now, I'm hoping to garner some feedback on:
 - ways to clean up the code
 - things to improve (besides it's current unidirectional nature)
 - whether this is interesting

Oh, it's a patch against 4.2-RELEASE. Thanks!

---
Jon Simola <jon@abccom.bc.ca> | "In the near future - corporate networks
    Systems Administrator     |  reach out to the stars, electrons and light 
     ABC  Communications      |  flow throughout the universe." -- GITS

--0-1679715968-978615157=:462
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="firewallindex.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.BSF.3.96.1010104053237.462U@newmail.netbistro.com>
Content-Description: firewallindex.diff

DQotLS0gc3lzL25ldGluZXQvaXBfZncuYy5vcmlnCVRodSBKYW4gIDQgMDI6
Mjc6MDQgMjAwMQ0KKysrIHN5cy9uZXRpbmV0L2lwX2Z3LmMJVGh1IEphbiAg
NCAwNDozMzo1MiAyMDAxDQpAQCAtNTA2LDYgKzUwNiwxMCBAQA0KIAkJICAg
IHNucHJpbnRmKFNOUEFSR1MoYWN0aW9uMiwgMCksICJTa2lwVG8gJWQiLA0K
IAkJCWYtPmZ3X3NraXB0b19ydWxlKTsNCiAJCSAgICBicmVhazsNCisJICAg
IGNhc2UgSVBfRldfRl9JTkRFWDoNCisJCSAgICBzbnByaW50ZihTTlBBUkdT
KGFjdGlvbjIsIDApLCAiSW5kZXggJWQiLA0KKwkJCWYtPmZ3X3NraXB0b19y
dWxlKTsNCisJCSAgICBicmVhazsNCiAjaWZkZWYgRFVNTVlORVQNCiAJICAg
IGNhc2UgSVBfRldfRl9QSVBFOg0KIAkJICAgIHNucHJpbnRmKFNOUEFSR1Mo
YWN0aW9uMiwgMCksICJQaXBlICVkIiwNCkBAIC04NzgsNiArODgyLDI5IEBA
DQogfQ0KIA0KIC8qDQorICogZ2l2ZW4gYW4gaXBfZndfY2hhaW4gKiwgbG9v
a3VwX2luZGV4X3J1bGUgd2lsbCByZXR1cm4gYSBwb2ludGVyDQorICogb2Yg
dGhlIHNhbWUgdHlwZSB0byB0aGUgbmV4dCBvbmUuIFRoaXMgY2FuIGJlIGVp
dGhlciB0aGUgaW5kZXgNCisgKiB0YXJnZXQgKGZvciBpbmRleCBpbnN0cnVj
dGlvbnMpIG9yIHRoZSBuZXh0IG9uZSBpbiB0aGUgY2hhaW4gKGluDQorICog
YWxsIG90aGVyIGNhc2VzIGluY2x1ZGluZyBhIG1pc3NpbmcganVtcCB0YXJn
ZXQpLg0KKyAqIEJhY2t3YXJkIGp1bXBzIGFyZSBub3QgYWxsb3dlZCwgc28g
c3RhcnQgbG9va2luZyBmcm9tIHRoZSBuZXh0DQorICogcnVsZS4uLg0KKyAq
LyANCitzdGF0aWMgc3RydWN0IGlwX2Z3X2NoYWluICogbG9va3VwX2luZGV4
X3J1bGUoc3RydWN0IGlwX2Z3X2NoYWluICptZSwgdV9pbnQzMl90IGRzdF9p
cCk7DQorDQorc3RhdGljIHN0cnVjdCBpcF9md19jaGFpbiAqDQorbG9va3Vw
X2luZGV4X3J1bGUoc3RydWN0IGlwX2Z3X2NoYWluICptZSwgdV9pbnQzMl90
IGRzdF9pcCkNCit7DQorICAgIHN0cnVjdCBpcF9md19jaGFpbiAqY2hhaW4g
Ow0KKyAgICBpbnQgcnVsZSA9IG1lLT5ydWxlLT5md19za2lwdG9fcnVsZSAr
ICgoZHN0X2lwPj4yNCkgJiBJTl9DTEFTU0NfSE9TVCk7IC8qIGd1ZXNzLi4u
ICovDQorICAgIGlmICggKG1lLT5ydWxlLT5md19mbGcgJiBJUF9GV19GX0NP
TU1BTkQpID09IElQX0ZXX0ZfSU5ERVggKQ0KKwlmb3IgKGNoYWluID0gbWUt
PmNoYWluLmxlX25leHQ7IGNoYWluIDsgY2hhaW4gPSBjaGFpbi0+Y2hhaW4u
bGVfbmV4dCApDQorCSAgICBpZiAoY2hhaW4tPnJ1bGUtPmZ3X251bWJlciA+
PSBydWxlKQ0KKyAgICAgICAgICAgICAgICByZXR1cm4gY2hhaW4gOw0KKyAg
ICByZXR1cm4gbWUtPmNoYWluLmxlX25leHQgOyAvKiBmYWlsdXJlIG9yIG5v
dCBhIHNraXB0byAqLw0KK30NCisNCisNCisvKg0KICAqIFBhcmFtZXRlcnM6
DQogICoNCiAgKglwaXAJUG9pbnRlciB0byBwYWNrZXQgaGVhZGVyIChzdHJ1
Y3QgaXAgKiopDQpAQCAtMTMwNCw2ICsxMzMxLDEzIEBADQogCQkJICAgIGNo
YWluID0gbG9va3VwX25leHRfcnVsZShjaGFpbikgOw0KIAkJCWlmICghIGNo
YWluKSBnb3RvIGRyb3BpdDsNCiAJCQlnb3RvIGFnYWluIDsNCisJCWNhc2Ug
SVBfRldfRl9JTkRFWDogLyogZHN0X2lwICovDQorCQkJaWYgKCBmLT5uZXh0
X3J1bGVfcHRyICkNCisJCQkgICAgY2hhaW4gPSBmLT5uZXh0X3J1bGVfcHRy
IDsNCisJCQllbHNlDQorCQkJICAgIGNoYWluID0gbG9va3VwX2luZGV4X3J1
bGUoY2hhaW4sIGRzdF9pcC5zX2FkZHIpIDsNCisJCQlpZiAoISBjaGFpbikg
Z290byBkcm9waXQ7DQorCQkJZ290byBhZ2FpbiA7DQogI2lmZGVmIERVTU1Z
TkVUDQogCQljYXNlIElQX0ZXX0ZfUElQRToNCiAJCWNhc2UgSVBfRldfRl9R
VUVVRToNCkBAIC0xNzQ0LDYgKzE3NzgsNyBAQA0KIAljYXNlIElQX0ZXX0Zf
QUNDRVBUOg0KIAljYXNlIElQX0ZXX0ZfQ09VTlQ6DQogCWNhc2UgSVBfRldf
Rl9TS0lQVE86DQorCWNhc2UgSVBfRldfRl9JTkRFWDoNCiAjaWZkZWYgSVBG
SVJFV0FMTF9GT1JXQVJEDQogCWNhc2UgSVBfRldfRl9GV0Q6DQogI2VuZGlm
DQoNCi0tLSBzeXMvbmV0aW5ldC9pcF9mdy5oLm9yaWcJTW9uIEF1ZyAyMSAx
NzozMzoxOCAyMDAwDQorKysgc3lzL25ldGluZXQvaXBfZncuaAlUaHUgSmFu
ICA0IDAyOjI2OjA4IDIwMDENCkBAIC0xNjgsNiArMTY4LDcgQEANCiAjZGVm
aW5lIElQX0ZXX0ZfRldECTB4MDAwMDAwMDcJLyogVGhpcyBpcyBhICJjaGFu
Z2UgZm9yd2FyZGluZyBhZGRyZXNzIiBydWxlICovDQogI2RlZmluZSBJUF9G
V19GX1BJUEUJMHgwMDAwMDAwOAkvKiBUaGlzIGlzIGEgZHVtbXluZXQgcnVs
ZSAqLw0KICNkZWZpbmUgSVBfRldfRl9RVUVVRQkweDAwMDAwMDA5CS8qIFRo
aXMgaXMgYSBkdW1teW5ldCBxdWV1ZSAqLw0KKyNkZWZpbmUgSVBfRldfRl9J
TkRFWAkweDAwMDAwMDBBCS8qIFRoaXMgaXMgYSBpbmRleCBydWxlICovDQog
DQogI2RlZmluZSBJUF9GV19GX0lOCTB4MDAwMDAxMDAJLyogQ2hlY2sgaW5i
b3VuZCBwYWNrZXRzCQkqLw0KICNkZWZpbmUgSVBfRldfRl9PVVQJMHgwMDAw
MDIwMAkvKiBDaGVjayBvdXRib3VuZCBwYWNrZXRzCQkqLw0KDQotLS0gc2Jp
bi9pcGZ3L2lwZncuYy5vcmlnCVRodSBKYW4gIDQgMDM6MDI6MjQgMjAwMQ0K
KysrIHNiaW4vaXBmdy9pcGZ3LmMJVGh1IEphbiAgNCAwMzowNDoyMCAyMDAx
DQpAQCAtMjQxLDYgKzI0MSw5IEBADQogCQljYXNlIElQX0ZXX0ZfU0tJUFRP
Og0KIAkJCXByaW50Zigic2tpcHRvICV1IiwgY2hhaW4tPmZ3X3NraXB0b19y
dWxlKTsNCiAJCQlicmVhazsNCisJCWNhc2UgSVBfRldfRl9JTkRFWDoNCisJ
CQlwcmludGYoImluZGV4ICV1IiwgY2hhaW4tPmZ3X3NraXB0b19ydWxlKTsN
CisJCQlicmVhazsNCiAgICAgICAgICAgICAgICAgY2FzZSBJUF9GV19GX1BJ
UEU6DQogICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnRmKCJwaXBlICV1
IiwgY2hhaW4tPmZ3X3NraXB0b19ydWxlKTsNCiAgICAgICAgICAgICAgICAg
ICAgICAgICBicmVhayA7DQpAQCAtMTY0OCw2ICsxNjUxLDExIEBADQogCQly
dWxlLmZ3X2ZsZyB8PSBJUF9GV19GX1NLSVBUTzsgYXYrKzsgYWMtLTsNCiAJ
CWlmICghYWMpDQogCQkJc2hvd191c2FnZSgibWlzc2luZyBza2lwdG8gcnVs
ZSBudW1iZXIiKTsNCisJCXJ1bGUuZndfc2tpcHRvX3J1bGUgPSBzdHJ0b3Vs
KCphdiwgTlVMTCwgMCk7IGF2Kys7IGFjLS07DQorCX0gZWxzZSBpZiAoIXN0
cm5jbXAoKmF2LCJpbmRleCIsc3RybGVuKCphdikpKSB7DQorCQlydWxlLmZ3
X2ZsZyB8PSBJUF9GV19GX0lOREVYOyBhdisrOyBhYy0tOw0KKwkJaWYgKCFh
YykNCisJCQlzaG93X3VzYWdlKCJtaXNzaW5nIGluZGV4IHJ1bGUgbnVtYmVy
Iik7DQogCQlydWxlLmZ3X3NraXB0b19ydWxlID0gc3RydG91bCgqYXYsIE5V
TEwsIDApOyBhdisrOyBhYy0tOw0KIAl9IGVsc2UgaWYgKCghc3RybmNtcCgq
YXYsImRlbnkiLHN0cmxlbigqYXYpKQ0KIAkJICAgIHx8ICFzdHJuY21wKCph
diwiZHJvcCIsc3RybGVuKCphdikpKSkgew0KDQo=
--0-1679715968-978615157=:462--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1010104052129.462T-200000>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact