ipfw: deny traffic between interfaces
I'm using FreeBSD 4.10 as a masquerading firewall for three private networks and want to restrict traffic between each interface (kind of like VLAN's). The firewall's interfaces are configured as such: sis0 public rl0 192.168.1.1 fxp0 192.168.2.1 sis1 192.168.4.1 ...and ipfw is configured as such: 00050 134535198660535275 divert 8668 ip from any to any via sis0 00100 490 81262 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 2695580217357286222 allow ip from any to any 65535 0 0 deny ip from any to any How can I accomplish this with ipfw? (I thought that something like `ipfw add 400 deny ip from rl0 to not sis0` would do the job but it didn't.) -- Eric P., Truckee, CA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ipfw: deny traffic between interfaces
On Tuesday 26 July 2005 12:19 pm, Eric Pretorious wrote: I'm using FreeBSD 4.10 as a masquerading firewall for three private networks and want to restrict traffic between each interface (kind of like VLAN's). FWIW: This construct *seems* to have the effect that I desire: ipfw add 500 deny all from any to any out recv rl0 xmit fxp0 ipfw add 501 deny all from any to any out recv rl0 xmit sis1 ipfw add 502 deny all from any to any out recv fxp0 xmit rl0 ipfw add 503 deny all from any to any out recv fxp0 xmit sis1 ipfw add 504 deny all from any to any out recv sis1 xmit rl0 ipfw add 505 deny all from any to any out recv sis1 xmit fxp0 I'm not 100% certain of incoming/outgoing packets and the receive transmit interfaces, though. (The man page doesn't elaborate on this rule option.) -- Eric P., Truckee, CA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]