possible to block one address on all ports?
Kim Shrier
kim at tinker.com
Sun Jan 18 16:42:23 PST 2009
On Jan 18, 2009, at 4:28 PM, fbsdmail at dnswatch.com wrote:
> Greetings Kim, and thank you very much for such a concise overview...
>
... snip ...
>
> I find I'm only left with one question;
> If my box is assigned an internet routable IP (not a private IP),
> which address should take precedence? In other words, knowing that
> IPFW works "top down", or "first match". How would/should I add my
> internet routable IP (assuming I should). Or should I simply replace
> 127.0.0.1 with my internet routable IP as shown in your example?
>
> I see you have posted another reply. I'll see if you've already
> addressed my question in that reply. :)
>
> Thank you again for taking the time to be so helpful.
>
> Best wishes.
>
> --Chris
>
You don't need to do anything for your routable IP address. Packets
going to and coming from that IP will be matched by rule 65000 and
go on through the filter. Also, you don't want to change rules 100
through 300 regardless of the IP address of your interface.
I don't know what you are doing with your machine but you can look
at the rules inserted by the WORKSTATION or SIMPLE firewall
configurations to see how to do more sophisticated filtering. I also
recommend the book, "Building Internet Firewalls" by Chapman and Zwicky
to learn more about packet filtering.
Kim
--
Kim Shrier - principal, Shrier and Deihl - mailto:kim at tinker.com
Remote Unix Network Admin, Security, Internet Software Development
Tinker Internet Services - Superior FreeBSD-based Web Hosting
http://www.tinker.com/
More information about the freebsd-ipfw
mailing list