Re: setting up ipfw

Wed, 02 Jul 2003 20:13:38 -0700 

From: "David Kelly" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 02, 2003 2:56 PM
Subject: Re: setting up ipfw


> On Wednesday 02 July 2003 11:00 am, W. D. wrote:
> >
> > Is there some guide to translate IPFW rules to English so that
they
> > are understandable?
>
> They already are. Each arglist to ipfw(8) is a sentence. ipfw(8) is
only
> an interpreter of those instructions which writes the instructions
in a
> form ipfw(4) can understand. Or reads them back in a form you can
> understand.
>
And this is one of the things that swung my decision to ipfw
... a] the easy syntax of the rules; b] the most well-written
tutorial I found while * ST[F]?W was based on ipfw.

Consider the following somewhat biased example.
However, the answer to the "which is most like
English" ?? seems clear to me...
ipfw:

# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}

ipf:

# block address spoofing on the external interface

block in quick on ed0 from 127.0.0.1/8 to any
block in quick on ed0 from 10.0.0.0/8 to any
block in quick on ed0 from 172.16.0.0/12 to any
block in quick on ed0 from 192.168.0.0/16 to any
block in quick on ed0 from 224.0.0.0/4 to any
block in quick on ed0 from 240.0.0.0/5 to any

iptables:

# Stop RFC1918 nets on the outside interface
${fwcmd} -A INPUT -j DROP -d 10.0.0.0/8 -i ${oif}
${fwcmd} -A FORWARD -j DROP -d 10.0.0.0/8 -i ${oif}
${fwcmd} -A INPUT -j DROP -d 172.16.0.0/12 -i ${oif}
${fwcmd} -A FORWARD -j DROP -d 172.16.0.0/12 -i ${oif}
${fwcmd} -A INPUT -j DROP -d 192.168.0.0/16 -i ${oif}
${fwcmd} -A FORWARD -j DROP -d 192.168.0.0/16 -i ${oif}

To the detractors -- yeah, similar, not at all the same, though.

If I confused anyone with "my.ip.ad.dres", I'm sorry; it's
not like you couldn't do a dig, anyway, but I'm paranoid...

KDK

*Please pardon my regexp...


_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to