Re: ipfw

From: Peter C. Lai (sirmoo@cowbert.2y.net)
Date: 05/05/02


Date: Sat, 4 May 2002 23:59:33 -0400
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "William J. Borskey" <wborskey@hotmail.com>

On Sat, May 04, 2002 at 08:36:52PM -0700, William J. Borskey wrote:
>
>
> is it possible to write rules for ipfw using ethernet addresses instead of
> ip addresses?

i don't think so (although i might be wrong).
I think people use static arp to prevent arp poisoning so
IP <-> MAC translations stay the same.

>
> ipfw -q -f flush
> ipfw -q add 00100 allow ip from any to any via lo0
> ipfw -q add 00220 deny log ip to me 22 from any in
> ipfw -q add 00100 allow ip from any to any
> ipfw -q add 00225 deny log tcp from any to any in tcpflags syn,fin
> ipfw -q add 00230 check-state
> ipfw -q add 00235 deny tcp from any to any in established
> ipfw -q add 00240 allow ip from any to any out keep-state
> ipfw -q add 00250 deny tcp from any to any 6000
> ipfw -q add 00900 deny log ip from any to any
>
> and is this ok to block everything except ssh?
>

uh check your rule numbering. you have 2 rule 100s.

220 will *block* port 22 on your machine.
and the 2nd rule 100 allows everything so this effectively
will *allow* everything *except* ssh.

>
> _________________________________________________________________
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message