IPFW Established and Outside Traffic Problem
Julian Elischer
julian at elischer.org
Wed Feb 27 04:50:55 UTC 2008
steve13th wrote:
> Given:
> Running FREEBSD
>
> What I want to do:
> I am attempting to disable the following things:
> Note H= host octet
> 1. disable pings
> 2. disable traffic originating from networks other than HHH.HH.HHH.0/24
> 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth with
> the internet
> Status:
> I am able to block pings, but I can't have traffic with the internet
>
> My rules
>
> ipfw add 1 icmp from any to any icmp 0,8
> ipfw add 2 allow tcp any to any established
> ipfw add 3 allow all from HHH.HH.HHH.11/24 to any
>
>
oh where to start..
firstly realise that ipfw is called in every packet arraiving in every
interface and every packet leaving on every interface.
you probably want to limit processing to packets coming and going on
some interface. Assume em0 is your outside interface..
#divide up traffic to that we are interested in and that we are not
ipfw add 10 skipto 100 ip from any to any in recv em0
ipfw add 11 skipto 200 ip from any to any out xmit em0
ipfw allow ip from any to any
# incoming packets from the outside
ipfw add 100 drop ip from 127.0.0.0/8 to any
ipfw add 101 drip ip from any to 127.0.0.0/8
ipfw add 110 drop icmp from any to any icmp 0,8
ipfw add 120 check-state
[ add any other packets descriptions for incoming packets you may want
to accept]
ipfw add 190 drop ip from any to any
# outgoing packets to the outside
ipfw add 200 ipfw allow ip from any to any keep-state
More information about the freebsd-ipfw
mailing list