Matching rules on ip4/ip6 with udp/tcp
Dries Michiels
driesm.michiels at gmail.com
Wed Jun 6 18:14:02 UTC 2018
Tried out the variations you mentioned and they work just great.
Thank you!
Dries
From: Freddie Cash <fjwcash at gmail.com>
Sent: woensdag 6 juni 2018 20:01
To: Dries Michiels <driesm.michiels at gmail.com>
Cc: freebsd-ipfw at freebsd.org
Subject: Re: Matching rules on ip4/ip6 with udp/tcp
On Wed, Jun 6, 2018 at 10:36 AM, Dries Michiels <driesm.michiels at gmail.com <mailto:driesm.michiels at gmail.com> > wrote:
Is there are way to match packets specifying both network generation ip4 or
ip6 together with the protocol such as tcp or udp?
Currently the following rules are possible (examples):
ipfw add 1 allow udp from any to me 22 in recv em0
ipfw add 1 allow ip4 from any to me 22 in recv em0
The following rule is not possible (example):
ipfw add 1 allow ip4 udp from any to me 22 in recv em0
Is there a workaround for this or some reason why this hasn't been
implemented?
Or do I simply not have the rule syntax right.
One of the following pairs should do what you want, although the man page is a little hard to parse on some of it, so they may not actually work:
ipfw add 1 allow from any to me in recv em0 proto ip4 dst-port 22
ipfw add 1 allow from any to me in recv em0 proto ip6 dst-port 22
ipfw add 1 allow udp from any to me in recv em0 proto ip4 dst-port 22
ipfw add 1 allow udp from any to me in recv em0 proto ip6 dst-port 22
Basically, there's a giant section in the man page about the "options" section of the rule (what goes after the interface). You can do just about anything within that section, including a lot of what could be done in the "protocol" and "source address" and "destination address" sections.
--
Freddie Cash
fjwcash at gmail.com <mailto:fjwcash at gmail.com>
More information about the freebsd-ipfw
mailing list