ipfw and hostnames
Chuck Swiger
cswiger at mac.com
Mon Jun 2 09:01:40 PDT 2003
Petri Helenius wrote:
[ ... ]
> That´s an another defect in ipfw client utility, it stops processing rules if
> it fails to lookup something. There should at least be a switch to allow
> it to continue and ignore the lines it cannot do.
If you really want to use names instead of IP addresses, try somthing like the
following from /etc/rc.conf:
#firewall_type='/etc/MY_firewall'
#firewall_flags='-p /usr/bin/cpp'
...and /etc/MY_firewall:
####
# set these to your inside interface network and netmask and ip
#define IIF sis0
#define INET 192.168.1.0/24
#define IIP 192.168.1.2
#define OIF fxp0
#define ONET xxx
#define OIP xxx
#define LOCALHOST 127.0.0.1
#define HOST1 1.2.3.4
# port number ranges
#define LOPORTS 1-1023
#define HIPORTS 1024-65535
####
# Bandwidth limitation
add 10 pipe 11 tcp from any to any in via IIF
add pipe 11 udp from any to any in via IIF
add pipe 11 ip from any to any in via IIF
pipe 11 config queue 60
add pipe 12 tcp from any to any out via IIF
add pipe 12 udp from any to any out via IIF
add pipe 12 ip from any to any out via IIF
pipe 12 config queue 60
# add rules here
add 65000 allow ip from any to any
> And in case you were wondering, I don´t believe in perimeter security,
> so we run packet filters on all machines, not just on something some people
> call the magic-security-device-on-the-border alias "firewall".
It's certainly true that good security consists of more than just a magic box
called a firewall. If you configure your hosts securely so that they are safe
even without a "packet filtering router", you'll be doing much better than average.
That being said, saying "I don't believe in perimeter security" is akin to
saying "I don't see a difference between a network and a group of hosts".
--
-Chuck
More information about the freebsd-net
mailing list