Re: ipfw

From: Peter C. Lai (sirmoo@cowbert.2y.net)
Date: 05/05/02

Next message: Eugene Grosbein: "Re: ipfw"
Previous message: William J. Borskey: "ipfw"
In reply to: William J. Borskey: "ipfw"
Next in thread: Eugene Grosbein: "Re: ipfw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 4 May 2002 23:59:33 -0400
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "William J. Borskey" <wborskey@hotmail.com>

On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote:
>
>
> is it possible to write rules for ipfw using ethernet addresses instead of
> ip addresses?

i don't think so (although i might be wrong).
I think people use static arp to prevent arp poisoning so
IP <-> MAC translations stay the same.

>
> ipfw -q -f flush
> ipfw -q add 00100 allow ip from any to any via lo0
> ipfw -q add 00220 deny log ip to me 22 from any in
> ipfw -q add 00100 allow ip from any to any
> ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin
> ipfw -q add 00230 check-state
> ipfw -q add 00235 deny tcp from any to any in established
> ipfw -q add 00240 allow ip from any to any out keep-state
> ipfw -q add 00250 deny tcp from any to any 6000
> ipfw -q add 00900 deny log ip from any to any
>
> and is this ok to block everything except ssh?
>

uh check your rule numbering. you have 2 rule 100s.

220 will *block* port 22 on your machine.
and the 2nd rule 100 allows everything so this effectively
will *allow* everything *except* ssh.

>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Next message: Eugene Grosbein: "Re: ipfw"
Previous message: William J. Borskey: "ipfw"
In reply to: William J. Borskey: "ipfw"
Next in thread: Eugene Grosbein: "Re: ipfw"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: too many dynamic rules
... I myself use ipf/ipnat so I'm not so familliar with ipfw ruleset, ... > add 00202 deny log all from any to 10.0.0.0/8 ... > add 00600 allow icmp from any to any icmptypes 3 ...
(FreeBSD-Security)
Re: blocking port 22 with ipfw
... > This is the command line I am using but it doesn't work ... ipfw add 100 deny log tcp from any to any 22 ... ipfw add 100 deny log tcp from any to UR_IP_HERE 22 ...
(comp.security.unix)
Re: Whats the point of not allowing all outgoing traffic by default?
... Outbound traffic is normally disallowed by default, and you have to setup an explicit rule that you want it. ... ipfw add 3 deny log ip from any to me out ... ipfw add 9 deny log tcp from me to any smtp out ...
(comp.security.firewalls)
Re: ipfw subnetting
... ipfw add allow ip from any to any via lo0 ... ipfw add deny log ip from 180.0.0.0/8 to any in recv $ext_if ... ipfw add check-state ...
(freebsd-questions)
Re: IPFW Problems
... I doing this over an SSH connection, ... there seems to be something odd with ipfw. ... ipfw add 00299 deny log all from any to any out via bge0 ... ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit ...
(freebsd-questions)