[afnog] ipfw question

Tumi Mogale tumi_mogale1 at yahoo.com
Thu Nov 9 13:19:03 UTC 2006 

--- Brian Candler <B.Candler at pobox.com> wrote:
> On Thu, Nov 09, 2006 at 01:41:25AM -0800, Tumi
> Mogale wrote:
> > i have the following setup:
> > 
> > 10.0.3.0/24
> >  xl0  +-----------+   xl2 10.0.1.0/24 (Internet)
> > ------|    ipfw   |--------
> >       +-----+-----+
> >             |xl1 10.0.2.0/24
> >             |
> >             |
> > 
> > what is the ipfw rule that would allow all traffic
> > from xl1 (10.0.2.0/24) to xl2 (10.0.1.0/24) which
> is
> > also the internet but not to xl0 (10.0.3.0/24)?
> > 
> > In short, anything from 10.0.2.0/24 must not be
> > allowed to enter 10.0.3.0/24 but must be let to
> the
> > internet via xl2.
> 
> You just have 'deny' rules for packets with a source
> address of 10.0.3.0/24
> and a destination of 10.0.2.0/24, and vice versa.
> Remember that rules are
> tested in order, so put this before any rule which
> allows outbound traffic
> to the Internet (which may not be needed if you
> built your kernel with
> IPFIREWALL_DEFAULT_TO_ACCEPT)
> 
> Alternatively you can match on interface rather than
> source/destination IP.
> However what most people do is anti-spoofing early
> on in their ruleset:
> 
> - traffic from xl0 with source != 10.0.3.0/24 =>
> deny
> - traffic from xl1 with source != 10.0.2.0/24 =>
> deny
> - traffic from xl2 with source == 10.0.2.0/24 =>
> deny
> - traffic from xl2 with source == 10.0.3.0/24 =>
> deny
> 
> Then later rules can trust that the source IP
> addresses are valid.

ok, here is the scenario:

1 - i want all traffic from 10.0.3.0/24 to access
everything in 10.0.1.0/24 (the net) and 10.0.2.0/24

2 - i want all traffic from 10.0.2.0/24 to be denied
access to 10.0.3.0/24 but be allowed access to
10.0.1.0/24 (the net)

here is the rule i thought would work for case 2:

ipfw add 00xx allow all from 10.0.2.0/24 to any not
10.0.3.0/24

(or is this a bad use of the "not" syntax?)

-tm


 
____________________________________________________________________________________
Cheap talk?
Check out Yahoo! Messenger's low PC-to-Phone call rates.
http://voice.yahoo.com

More information about the afnog mailing list