Re: [masq] looking for a "ipfwadm for dummies" document/text file/web page/toilet paper set/whatever

Wed, 23 Sep 1998 01:57:49 -0400 

Francis GALIEGUE <[EMAIL PROTECTED]> wrote:
>
> I'm not a real bummer with TCP/IP, but the output of ipfwadm -[IOF] -l
> -n looks cryptic to me.

Well, I guess it depends on how much you know about IP, and routing.

> root!rtfm ~ # ipfwadm -I -l -n
> IP firewall input rules, default policy: deny
> type  prot source               destination          ports
> acc   all  10.0.0.0/8           0.0.0.0/0            n/a
> deny  all  10.0.0.0/8           0.0.0.0/0            n/a
> acc   all  0.0.0.0/0            212.39.129.56        n/a
> acc   all  0.0.0.0/0            0.0.0.0/0            n/a
> deny  all  0.0.0.0/0            0.0.0.0/0            n/a

These are your input firewall rules, and they determine whether a packet
should be accepted.  The list is traversed from top to bottom and when a
match is found, the corresponding action is taken.

The first real says that if a packet is from any IP address in the
10.*.*.* network, going to any destination, it will be accepted.  The
next rule says that any packet from 10.*.*.* will be dropped.

> Even if I know that lines are interpreted one after another, I really
> cannot make any sense out of this output...  For example why line 2 is
> exactly the opposite of line 1...

You are correct.  The second rule will never take effect, because the
first rule overrides it.

Correspondingly, the third rule allows traffic from a specific host, but
that's immaterial, because the following rule allows all traffic from
ANY host.  The fifth rule is essentially ignored, because it will never
be reached.  All packets will either match the first, third, or fourth
rules.

So, you are correct that your firewall rules don't make a lot of sense. 
So, why did you set them up that way??  :)

The kernel has no rules at all by default, so one of your startup
scripts must have set these rules up.  Find out where that's happening,
then change it to be what you really want.

What DO you really want your firewall to do, anyway?

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Reply via email to