IPFW Established and Outside Traffic Problem

steve13th anderssl at purdue.edu
Wed Feb 27 07:13:29 UTC 2008 

THANK YOU.  I was trying to use ipfw exactly like iptables.  The division of
the outgoing and incoming packets make sense.
Thanks Again!

Julian Elischer wrote:
> 
> steve13th wrote:
>> Given: 
>> Running FREEBSD
>> 
>> What I want to do:
>> I am attempting to disable the following things:
>> Note H= host octet
>> 1. disable pings
>> 2. disable traffic originating from networks other than HHH.HH.HHH.0/24
>> 3. allow traffic to originate from HHH.HH.HHH.11 and go back and forth
>> with
>> the internet
>> Status:
>> I am able to block pings, but I can't have traffic with the internet
>> 
>> My rules
>> 
>> ipfw add 1 icmp from any to any icmp 0,8
>> ipfw add 2 allow tcp any to any established
>> ipfw add 3 allow all from HHH.HH.HHH.11/24 to any
>> 
>> 
> 
> 
> oh where to start..
> 
> firstly realise that ipfw is called in every packet arraiving in every 
> interface and every packet leaving on every interface.
> 
> you probably want to limit processing to packets coming and going on 
> some interface. Assume em0 is your outside interface..
> 
> #divide up traffic to that we are interested in and that we are not
> ipfw add 10 skipto 100 ip from any to any in recv em0
> ipfw add 11 skipto 200 ip from any to any out xmit em0
> ipfw allow ip from any to any
> 
> # incoming packets from the outside
> ipfw add 100 drop ip from 127.0.0.0/8 to any
> ipfw add 101 drip ip from any to 127.0.0.0/8
> ipfw add 110 drop icmp from any to any icmp 0,8
> ipfw add 120 check-state
> [ add any other packets descriptions for incoming packets you may want 
> to accept]
> ipfw add 190 drop ip from any to any
> 
> # outgoing packets to the outside
> ipfw add 200 ipfw allow ip from any to any keep-state
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> 
> 

-- 
View this message in context: http://www.nabble.com/IPFW-Established-and-Outside-Traffic-Problem-tp15704943p15707342.html
Sent from the freebsd-ipfw mailing list archive at Nabble.com.

More information about the freebsd-ipfw mailing list