Re: Ipfw accept rule
From: David Atkinson (david_at_atkinsonet.com)
Date: 09/23/04
- Previous message: Per Engelbrecht: "Re: funny customers"
- In reply to: Bikrant Neupane: "Ipfw accept rule"
- Next in thread: Bikrant Neupane: "Re: Ipfw accept rule"
- Reply: Bikrant Neupane: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 23 Sep 2004 17:16:14 +1000 (EST) To: Bikrant Neupane <bikrant_ml@wlink.com.np>
Are you looking for something like count? The whole idea of an allow rule
is that once it matches it is assumed that you actually do want that
packet and there is no point continuing through the ruleset. If you want
to have a general allow rule with a few specific exclusions, add one or
two deny rules for the specific cases and then have your more general
allow rule. One problem that does occur with this plan is that it becomes
very easy to overload your server with lots of rarely matched deny rules.
If you find the time in interupt going too high look at constructing some
blocks of rules and setup some skipto rules. In the case of blocking
(firewalling off) well known sources of spam, a lot of rules can be
generated very quickly. As these only apply to port 25 traffic, as skipto
can be used to skip these rules for all other traffic.
1000 skipto 2000 tcp from any to any 25
1100 skipto 4000 ip from any to any
2000 deny ip from spammer.com to any
...
HTH,
David Atkinson
On Thu, 23 Sep 2004, Bikrant Neupane wrote:
> Hi,
> When a packet hits "allow | accept | pass | permit" rule the packet is
> accepted and the search is retiminated at that point.
>
> I need to accept the packet but still want the packet to continue travers
> rules further below. However, once it hits "deny | drop" rule it should be
> dropped and the search should terminate at that point. Is that possible with
> IPFW?
>
> regards,
> Bikrant
>
>
> _______________________________________________
> freebsd-isp@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Per Engelbrecht: "Re: funny customers"
- In reply to: Bikrant Neupane: "Ipfw accept rule"
- Next in thread: Bikrant Neupane: "Re: Ipfw accept rule"
- Reply: Bikrant Neupane: "Re: Ipfw accept rule"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
- Re: Firewall Performance Question.
... rukles any packet has to travers for example... ... 100 skipto 1000 ip
from 1.0.0.0/4 to my-ip ... 1001 deny ip from 65.65.26.7 to any ... This would in
effect redduce the number of rules any packet was traversing by ... (freebsd-net) - RE: Firewall problem
... you have "allow ip from any to any" before your deny rules, ... is seriously
faulty a packet will match that rule and ... > Subject: Firewall problem ...
To unsubscribe, ... (freebsd-questions) - Re: One OR MORE of source and destination addresses?
... Mark wrote: ... I would still like to hear a suggestion as to how to
... > packet pass, provided there are less then 32 connections in total. ...
it can just skipto the next rule to be checked. ... (freebsd-questions) - Re: Ipchains help
... >> prior to those accepts the packet then the rule won't be reached. ...
> just after I have flushed everything and set the default deny rules. ... You might
add a new chain and jump into that chain rather than DENY. ... Nigel Wade, System Administrator,
Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK ... (comp.security.firewalls)
