[afnog] ipfw question

Patrick Okui pokui at psg.com
Thu Nov 9 10:34:40 UTC 2006


On Thursday 09 November 2006 12:41, Tumi Mogale wrote:
> what is the ipfw rule that would allow all traffic
> from xl1 (10.0.2.0/24) to xl2 (10.0.1.0/24) which is
> also the internet but not to xl0 (10.0.3.0/24)?

# WARNING:, untested.. use these as a skeleton not as the gospel :D
# first start with exactly what you wrote above.. in ipfw speek
#
ipfw add deny ip from 10.0.2.0/24 to any via xl0
ipfw add allow ip from 10.0.2.0/24 to any via xl2

#(plus the rules in the other direction.. )
#
ipfw add deny ip from 10.0.3.0/24 to any via xl1
#(also you don't mention it, but i guess you'll need)
#
ipfw add allow ip from 10.0.3.0/24 to any via xl2
# packets from the internet to anywhere...
#
ipfw add allow ip from any to any recv xl2 

in the scenario that you have networks behind xl0 that you *do* want to pass 
packets for the 10.0.2/24 network you can replace the "any" on the first rule 
with 10.0.3.0/24 etc. 

man(8) ipfw is your friend.

watch the order of your ruleset (first match wins) and in general, start with 
a minimal one, do the usual ping/tcpdump tests then become more specific.


> In short, anything from 10.0.2.0/24 must not be
> allowed to enter 10.0.3.0/24 but must be let to the
> internet via xl2.
>
> -tm
>
>
>
> ___________________________________________________________________________
>_________ Do you Yahoo!?
> Everyone is raving about the all-new Yahoo! Mail beta.
> http://new.mail.yahoo.com
>
>
>
>
> ___________________________________________________________________________
>_________ Sponsored Link
>
> Mortgage rates near historic lows:
> $150,000 loan as low as $579/mo. Intro-*Terms
> https://www2.nextag.com/
>
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog

-- 
patrick



More information about the afnog mailing list