Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.bhp.com.au!mel.dit.csiro.au!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!swrinde!newsfeed.internetmci.com!news.sprintlink.net!dfw.nkn.net!rowdy.lonestar.org!nemesis!hammy!not-for-mail From: gordon@hammy.lonestar.org (Gordon Burditt) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: IPFW filter rules... Date: 13 Feb 1996 03:54:48 -0600 Organization: What organization? Lines: 41 Message-ID: <4fpn58$5vk@hammy.lonestar.org> References: <Pine.HPP.3.91.960207170506.20192A-100000@ocean.fit.qut.edu.au> <4fe9ol$f8@ender1.techcenter.paccar.com> <4fk7g9$i2d@hammy.lonestar.org> <4fnsss$jj6@helena.MT.net> NNTP-Posting-Host: hammy.lonestar.org >>>3) Rule re-ordering can bite you big time. You might try the "list" command >>>mentioned above to see the order in which your rules are being applied. > >FWIW, Poul-Henning just modified the IPFW kernel sources to no longer >re-order the rules by default, per discussions on many firewall mailing >lists and a discussion on the FreeBSD mailing list. > >>Another question on ipfw: Does the "via <interface name>" qualifier >>refer to "it came *IN* via that interface" or "it's going *OUT* via >>that interface"? It seems to be how it came *IN*, but I've never been >>able to definitely prove it. > >It implies 'on the interface', which means that packets coming or going >will be subject to this rules. This is very bad, but fortunately it does NOT seem to behave that way. >I verified this on my box, which >disallows any packets coming over the external network interface from >sending/receiving packets to any machines in my local network. If it works the way you say it does, then something like: ipfw addf ldeny all from 666.42.13.0/24 to 0/0 via tun0 ought to deny all packets coming *IN* tun0 pretending to be from my network (good) and to deny all packets going *OUT* from my network via tun0 (bad: I've just killed the usefulness of the PPP link) except the spoofed ones I'm sending out. >>Some obvious things to deny include denying any packet that pretends >>to come from your local net or the loopback interface coming in via >>the PPP link. > >Piece of cake. Not if the 'via <interface>' means *COMING IN OR GOING OUT* of that interface. Gordon L. Burditt sneaky.lonestar.org!gordon