Thanks Fox for your quick response, however it is still letting any user
surf
I changed the -a to -i and it actually switched the policy to :
IP firewall forward rules, default policy: deny
type prot source destination ports
rej tcp net.utoronto.ca/16 anywhere any -> http
acc/m all net.utoronto.ca/16 anywhere n/a
which is basically switched the two policies around. Maybe I should get rid
of line 1 and
change 'reject' to 'deny' on line 3 ?
Thanks again!
Stephen Mills
[EMAIL PROTECTED]
btw - your a champ for letting me know of the exception rules, Ill cook up
an extra kangeroo steak in honour of your response :-)
>> This may sound stupid, but I'd like to lock down port 80 on one of my
>> installations.
>
>That's what a firewall is for. :)
>
>> /sbin/ipfwadm -F -p deny
>> /sbin/ipfwadm -F -a m -S128.100.0.50/16 -D0.0.0.0/0
>> /sbin/ipfwadm -F -P tcp -a reject -W eth0 -S 128.100.0.50/16 -D 0.0.0.0/0
>> 80 -o
>
>This is close, but I think you want to use -i instead of -a on that last
>line, or, put the masq line after the reject line.
>
>> IP firewall forward rules, default policy: deny
>> type prot source destination ports
>> acc/m all net.utoronto.ca/16 anywhere n/a
>> rej tcp net.utoronto.ca/16 anywhere any -> http
>
>You can see what's happening: The packet needs to be forwarded; the
>kernel searches for a matching rule from the top of the list; as soon as
>it sees the masq rule, it matches, so the search ends.
>
>If you put the port-80 rule first, then it will stop the packet from
>being forwarded.
>
>> Secondly, (this is pushing it I know) is it possible to only let
>> certain users use port 80??
>
>Sure. It's just an extension of the above. Give the firewall a rule
>that tells it to pass on port-80 packets from certain addresses. Just
>make sure the rule comes before the generic rule that denies them.
>
> /sbin/ipfwadm -F -p deny
> /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.2/32 -D 0.0.0.0/0
80
> /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.3/32 -D 0.0.0.0/0
80
> /sbin/ipfwadm -F -P tcp -a masq -W eth0 -S 128.100.1.4/32 -D 0.0.0.0/0
80
> /sbin/ipfwadm -F -P tcp -a reject -W eth0 -S 128.100/16 -D 0.0.0.0/0
80 -o
> /sbin/ipfwadm -F -a masq -S 128.100/16 -D 0/0
>
>It's easy once you realize that the list is searched from top to bottom,
>and that masquerading is just a particular behavior that's triggered by
>a firewall rule.
>
>--
> [EMAIL PROTECTED] (Fuzzy Fox) || "Her lips said 'No,' but her
>sometimes known as David DeSimone || eyes said 'Read my lips!'"
> http://www.dallas.net/~fox/ ||
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>For daily digest info, email [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
