On Fri, 26 Mar 1999, Dave G. wrote: > > -----Original Message----- > > From: John D. Hardin [mailto:[EMAIL PROTECTED]] > > > > You can't, not explicitly. ipfwadm and the 2.0 kernel only recognize > > TCP, UDP, ICMP and ALL. > > > > What you can do is, at the end of your firewall file block TCP, UDP > > and ICMP explicitly on the Inet interface. Then add rules to deal with > > "other" traffic... > > > > ipfwadm -I -a deny $INET -p tcp > > ipfwadm -I -a deny $INET -p udp > > ipfwadm -I -a deny $INET -p icmp > > > > then, accept but don't log: > > > > ipfwadm -I -a accept $INET > > > > ... > > John, > > Thanx for your response. I haven't looked at it yet, but does the 2.2 > kernel and ipchains provide a better solution to this problem? I guess I > prefer shutting off the world to everything except things I want versus > shutting off what I can then turn on everything else. Oh, most definitely. ipchains allows you to specify protocols explicitly, so you can treat it with the same precision as TCP and UDP traffic. > I thought of another possible solution although I'm not sure how secure this > would be. I maybe could allow everything in only for the IP address of the > multicast router (24.93.0.234) -- or combining your idea and mine, deny the > three protocols and allow everything else just for that IP address. That's the best solution, of course. Only allow what you want to see, block the rest. ipfwadm -I -a accept $INET -S 24.93.0.234/32 -D 224.0.0.0/24 ipfwadm -I -a deny $INET -o > For reference, the log entry in question was: > Mar 24 00:07:44 homebase kernel: IP fw-in rej eth1 PROTO=2 24.93.0.234 > 224.0.0.1 L=28 S=0x00 I=34902 F=0x0000 T=1 -- John Hardin KA7OHZ [EMAIL PROTECTED] pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 53 days until Star Wars episode I _______________________________________________ Masq maillist - [EMAIL PROTECTED] http://tiffany.indyramp.com/mailman/listinfo/masq Admin requests can be handled by web (above) or [EMAIL PROTECTED]
