Re: [masq] [masq] [masq] Blocking

Sun, 18 Oct 1998 13:13:39 -0400 

Damion Milliken <[EMAIL PROTECTED]> wrote:
>
> >     /sbin/ipfwadm -F -p deny
> >     /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
> >     /sbin/ipfwadm -F -a acc -D coyote
> >     /sbin/ipfwadm -F -a acc -S coyote

> Could you not add a line above the two coyote lines such as:
> 
>       /sbin/ipfwadm -F -a deny -D coyote -S aaa.bbb.ccc.0/24

That wouldn't work, because the rule that you're adding goes to the
bottom of the list, and the preceding rule would override it.

> I think that the process for determining the action (-a) to take is
> merely a progression from one action to the next until a match is
> found.  Once a match is found, I don't think further actions are
> looked for.

Yes, the list of firewall rules is searched in order, from top to
bottom.  The "-a" flag, however, doesn't mean "action", it means
"append".  You are appending rules to the firewall list, in kernel
memory.  There is another flag "-i", which means to "insert" the rule at
the front of the list.  In this way, you can put important, strict rules
at the top of the list, and loose, general rules at the bottom of the
list.

It's important to have the general rules near the bottom of the list,
because they match more packets.  Once a rule matches a packet, no more
rules will be checked.

> Thus, if the deny line (as above) was before the accept lines, then it
> would be carried out.

This isn't quite right, because the deny rule is not really part of the
list.  It is a "default policy" (because it's set with "-p" rather than
"-a" or "-i").  It's basically a default rule that sits at the bottom of
the list, and answers the question, "What do I do if none of these rules
match?"  In this case, the firewall will deny the packet.

At any rate, the right thing to do is to set up the firewall rules in
proper priority order, usually by putting them in the right order in
your firewall setup script, using "-i" or "-a" as appropriate.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to