Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!nntp.coast.net!news.kei.com!newsfeed.internetmci.com!news.sprintlink.net!dfw.nkn.net!rowdy.lonestar.org!nemesis!hammy!not-for-mail From: gordon@hammy.lonestar.org (Gordon Burditt) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: IPFW filter rules... Date: 11 Feb 1996 01:56:57 -0600 Organization: What organization? Lines: 40 Message-ID: <4fk7g9$i2d@hammy.lonestar.org> References: <Pine.HPP.3.91.960207170506.20192A-100000@ocean.fit.qut.edu.au> <4fe9ol$f8@ender1.techcenter.paccar.com> NNTP-Posting-Host: hammy.lonestar.org >A couple of things come to mind: 1) Most packet filters have an implicit "deny" >tacked on the end of the filter rules. I.e., deny anything I haven't explicitly >allowed. I don't know if ipfw works that way or not. > >2) You may be suffering from re-ordering of the rules you've written. From the >man page on ipfw: > >" The system has a rule weighting system for the firewall chain. This means > that rules are not used in the order that they are specified. To see what > rule ordering is used, use the list command." > >3) Rule re-ordering can bite you big time. You might try the "list" command >mentioned above to see the order in which your rules are being applied. Another question on ipfw: Does the "via <interface name>" qualifier refer to "it came *IN* via that interface" or "it's going *OUT* via that interface"? It seems to be how it came *IN*, but I've never been able to definitely prove it. Some obvious things to deny include denying any packet that pretends to come from your local net or the loopback interface coming in via the PPP link. But how does one DO that without a huge number of rules? Because of the rule re-ordering, I can't depend on the rule order unless one rule is strictly more specific than another one. So, for example, this: ipfw addf accept udp from 0/0 domain to 0/0 domain turns into: ipfw addf ldeny udp from 127.0.0.1/8 domain to 0/0 domain via tun0 ipfw addf ldeny udp from 666.42.13.0/24 domain to 0/0 domain via tun0 ipfw addf accept udp from 0/0 domain to 0/0 domain and it basically triples the number of rules. If I just put in: ipfw addf ldeny all from 127.0.0.1/8 via tun0 along with entries with specific ports, I can't be sure which gets done first. Gordon L. Burditt sneaky.lonestar.org!gordon