From: Peter C. Lai (firstname.lastname@example.org)
- Next message: Eugene Grosbein: "Re: ipfw"
- Previous message: William J. Borskey: "ipfw"
- In reply to: William J. Borskey: "ipfw"
- Next in thread: Eugene Grosbein: "Re: ipfw"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 4 May 2002 23:59:33 -0400 From: "Peter C. Lai" <email@example.com> To: "William J. Borskey" <firstname.lastname@example.org>
On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote:
> is it possible to write rules for ipfw using ethernet addresses instead of
> ip addresses?
i don't think so (although i might be wrong).
I think people use static arp to prevent arp poisoning so
IP <-> MAC translations stay the same.
> ipfw -q -f flush
> ipfw -q add 00100 allow ip from any to any via lo0
> ipfw -q add 00220 deny log ip to me 22 from any in
> ipfw -q add 00100 allow ip from any to any
> ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin
> ipfw -q add 00230 check-state
> ipfw -q add 00235 deny tcp from any to any in established
> ipfw -q add 00240 allow ip from any to any out keep-state
> ipfw -q add 00250 deny tcp from any to any 6000
> ipfw -q add 00900 deny log ip from any to any
> and is this ok to block everything except ssh?
uh check your rule numbering. you have 2 rule 100s.
220 will *block* port 22 on your machine.
and the 2nd rule 100 allows everything so this effectively
will *allow* everything *except* ssh.
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message