Matching rules on ip4/ip6 with udp/tcp
Freddie Cash
fjwcash at gmail.com
Wed Jun 6 18:01:00 UTC 2018
On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels <driesm.michiels at gmail.com>
wrote:
> Is there are way to match packets specifying both network generation ip4 or
> ip6 together with the protocol such as tcp or udp?
>
> Currently the following rules are possible (examples):
>
> ipfw add 1 allow udp from any to me 22 in recv em0
>
> ipfw add 1 allow ip4 from any to me 22 in recv em0
>
>
> The following rule is not possible (example):
>
> ipfw add 1 allow ip4 udp from any to me 22 in recv em0
>
>
> Is there a workaround for this or some reason why this hasn't been
> implemented?
>
> Or do I simply not have the rule syntax right.
>
One of the following pairs should do what you want, although the man page
is a little hard to parse on some of it, so they may not actually work:
ipfw add 1 allow from any to me in recv em0 proto ip4 dst-port 22
ipfw add 1 allow from any to me in recv em0 proto ip6 dst-port 22
ipfw add 1 allow udp from any to me in recv em0 proto ip4 dst-port 22
ipfw add 1 allow udp from any to me in recv em0 proto ip6 dst-port 22
Basically, there's a giant section in the man page about the "options"
section of the rule (what goes after the interface). You can do just about
anything within that section, including a lot of what could be done in the
"protocol" and "source address" and "destination address" sections.
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-ipfw
mailing list