Re: Ipfw accept rule

From: David Atkinson (david_at_atkinsonet.com)
Date: 09/23/04

  • Next message: Per Engelbrecht: "RE: funny customers" 
    Date: Thu, 23 Sep 2004 17:16:14 +1000 (EST)
To: Bikrant Neupane <bikrant_ml@wlink.com.np>

    Are you looking for something like count? The whole idea of an allow rule
    is that once it matches it is assumed that you actually do want that
    packet and there is no point continuing through the ruleset. If you want
    to have a general allow rule with a few specific exclusions, add one or
    two deny rules for the specific cases and then have your more general
    allow rule. One problem that does occur with this plan is that it becomes
    very easy to overload your server with lots of rarely matched deny rules.
    If you find the time in interupt going too high look at constructing some
    blocks of rules and setup some skipto rules. In the case of blocking
    (firewalling off) well known sources of spam, a lot of rules can be
    generated very quickly. As these only apply to port 25 traffic, as skipto
    can be used to skip these rules for all other traffic.

    1000 skipto 2000 tcp from any to any 25
    1100 skipto 4000 ip from any to any
    2000 deny ip from spammer.com to any
    ...

    HTH,
    David Atkinson

    On Thu, 23 Sep 2004, Bikrant Neupane wrote:

    > Hi,
    > When a packet hits "allow | accept | pass | permit" rule the packet is
    > accepted and the search is retiminated at that point.
    >
    > I need to accept the packet but still want the packet to continue travers
    > rules further below. However, once it hits "deny | drop" rule it should be
    > dropped and the search should terminate at that point. Is that possible with
    > IPFW?
    >
    > regards,
    > Bikrant
    >
    >
    > _______________________________________________
    > freebsd-isp@freebsd.org mailing list
    > http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
    >
    _______________________________________________
    freebsd-isp@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-isp
    To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

  • Next message: Per Engelbrecht: "RE: funny customers"

    Relevant Pages

    • Re: Firewall Performance Question.
      ... rukles any packet has to travers for example... ... 100 skipto 1000 ip from 1.0.0.0/4 to my-ip ... 1001 deny ip from 65.65.26.7 to any ... This would in effect redduce the number of rules any packet was traversing by ...
      (freebsd-net)
    • RE: Firewall problem
      ... you have "allow ip from any to any" before your deny rules, ... is seriously faulty a packet will match that rule and ... > Subject: Firewall problem ... To unsubscribe, ...
      (freebsd-questions)
    • Re: One OR MORE of source and destination addresses?
      ... Mark wrote: ... I would still like to hear a suggestion as to how to ... > packet pass, provided there are less then 32 connections in total. ... it can just skipto the next rule to be checked. ...
      (freebsd-questions)
    • Re: Ipchains help
      ... >> prior to those accepts the packet then the rule won't be reached. ... > just after I have flushed everything and set the default deny rules. ... You might add a new chain and jump into that chain rather than DENY. ... Nigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK ...
      (comp.security.firewalls)