[afnog] ipfw question

Brian Candler B.Candler at pobox.com
Thu Nov 9 10:19:03 UTC 2006


On Thu, Nov 09, 2006 at 01:41:25AM -0800, Tumi Mogale wrote:
> i have the following setup:
> 
> 10.0.3.0/24
>  xl0  +-----------+   xl2 10.0.1.0/24 (Internet)
> ------|    ipfw   |--------
>       +-----+-----+
>             |xl1 10.0.2.0/24
>             |
>             |
> 
> what is the ipfw rule that would allow all traffic
> from xl1 (10.0.2.0/24) to xl2 (10.0.1.0/24) which is
> also the internet but not to xl0 (10.0.3.0/24)?
> 
> In short, anything from 10.0.2.0/24 must not be
> allowed to enter 10.0.3.0/24 but must be let to the
> internet via xl2.

You just have 'deny' rules for packets with a source address of 10.0.3.0/24
and a destination of 10.0.2.0/24, and vice versa. Remember that rules are
tested in order, so put this before any rule which allows outbound traffic
to the Internet (which may not be needed if you built your kernel with
IPFIREWALL_DEFAULT_TO_ACCEPT)

Alternatively you can match on interface rather than source/destination IP.
However what most people do is anti-spoofing early on in their ruleset:

- traffic from xl0 with source != 10.0.3.0/24 => deny
- traffic from xl1 with source != 10.0.2.0/24 => deny
- traffic from xl2 with source == 10.0.2.0/24 => deny
- traffic from xl2 with source == 10.0.3.0/24 => deny

Then later rules can trust that the source IP addresses are valid.

HTH,

Brian.



More information about the afnog mailing list