*BSD News Article 61511

Return to BSD News archive 

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!bunyip.cc.uq.oz.au!news.qut.edu.au!ocean.fit.qut.edu.au!brad
From: Brad MacKenzie <brad@fit.qut.edu.au>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: IPFW filter rules...
Date: Thu, 8 Feb 1996 09:25:03 +1000
Organization: Queensland University of Technology, Australia
Lines: 60
Distribution: world
Message-ID: <Pine.HPP.3.91.960207170506.20192A-100000@ocean.fit.qut.edu.au>
NNTP-Posting-Host: ocean.fit.qut.edu.au
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

We seem to be having some troubles getting ipfw up and running with the
2.2-960130-SNAP release. 
 
The filtering rules being applied are meant to halt tcp and udp between ports
1 and 1024 from both networks on the BSD router. We would then like to
specifically allow services like telnet. However, it looks as though the high
port eg. 2611 is being blocked by ipfw.  My initial thoughts are that the
range is not being used (i ncorrect syntax?)
 
Any ideas??? Any help will be greatly appreciated.
 
Here's a script I wrote to implement the rules...
(indented lines have been split for readability) 
-----------------------------------------------
#!/bin/sh
 
ipfw policy allow
 
# Reject hosts here...
ipfw addf lreject tcp from 123.123.96.0/24 1:1024
ipfw addf lreject udp from 123.123.96.0/24 1:1024
ipfw addf lreject tcp from 123.123.6.0/24 1:1024
ipfw addf lreject udp from 123.123.6.0/24 1:1024
 
 
# Allow hosts here...
ipfw addf log tcp from 123.123.6.78/24 
        to 123.123.96.100/24 23
 
ipfw addf log tcp from 123.123.6.78/24 
        to 123.123.96.100/24 113
 
ipfw addf log tcp from 123.123.96.100/24 
        to 123.123.6.78/24 23
 
ipfw addf log tcp from 123.123.96.100/24 
        to 123.123.6.78/24 113
 
# Display Resulting Rules...
ipfw policy
ipfw list
 
------------------------------------------------
And here's the resulting syslog errors...
(date and time removed)
 
/kernel: Accept TCP 123.123.96.100:2611 123.123.6.78:23
/kernel: Deny TCP 123.123.6.78:23 123.123.96.100:2611
/kernel: Accept TCP 123.123.96.100:2611 123.123.6.78:23
/kernel: Deny TCP 123.123.6.78:23 123.123.96.100:2611
/kernel: Accept TCP 123.123.96.100:2611 123.123.6.78:23
/kernel: Deny TCP 123.123.6.78:23 123.123.96.100:2611
/kernel: Accept TCP 123.123.96.100:2611 123.123.6.78:23
/kernel: Deny TCP 123.123.6.78:23 123.123.96.100:2611
 
 
Thanks for reading this far!
 
Brad MacKenzie (brad@fit.qut.edu.au)