[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Re[8]: Install on redhat 5.1
From: Igor Podlesny <subscr () morning ! ru>
Date: 2001-04-26 8:55:19
[Download RAW message or body]
>>
>>Hello!
>>
>>After I began reading the answer to my previous letter (by "Rob
>>MacGregor"), I started to think that I was wrong there and here...
>>...but then, later, I realized I wasn't -- thing I can't understand is
>>a writing statements by people that are unsure of them by themselves.
>>What does it serves for? If I am unsure I always say about this and
>>try to be clearly understood.
>>
>>Rob, my advice -- stop doing this :)
> Could say the same to you :->
ok :)
I wont point my finger :)
>>Here is my answer to you:
>>? =8-) (may be I missed something, of course)
>>
>>plz, show me how can you easy separate ip flow with IPFILTER to such
>>groups:
>> -- DESTINED TO ROUTER
>> -- TRANSIT
>> -- SOURCED BY ROUTER
> Ok:
> DESTINED TO ROUTER
> block in quick from any to <ROUTER IP> head 11
> (sends all packets destined to router to group 11)
> TRANSIT
> block in quick from any to any head 12
> (after the above will send all other packets to group 12)
> SOURCED BY ROUTER
> block out quick from any to any head 13
> (in theory anyway, I've never tried it)
>>taking in consideration that router has lots of NICs and theirs IPs
>>can change for e.g.?
> Ah, now that's where it gets complicated for the DESTINED TO ROUTER part.
> You'd probably have to write a script wrapper to handle this on IP change.
yeah, Rob. it is very complicated to use ipfw or ipfilter to fit this
purposes.. I wrote by myself a kind of macro analyzer, which allows me
to use syntax like:
block in all from any to XPN_THIS_R_IPS
and after proceeding it becoms something like that:
block in all from any to 1.1.1.1/32
block in all from any to 1.1.2.1/32
...
block in all from any to 9.9.9.1/24
(for e.g.)
It allows multiply VARs per line, for e.g. having 'told' him this:
A B
where A = (1, 2) and B = (3, 4)
you will 'hear':
1 3
1 4
2 3
2 4
speaking short, it's just a shell script which expands variables in
lines till 'kill'em all' :) ...
Also, I can say XPN_INOUT here
block XPN_INOUT all
and will get the mentioned 2 lines (block in all ,,,)
ugh...
But it's kinda ugly.
I cant wait such statement will work correct:
block XPN_INOUT quick from ! XPN_ALLOWED_IPS to XPN_LOCAL_IPS
cause it wont proceed all lines bellow after first match... (yes, I
know I can remove quick and add a corrector to save the logic
(possibly with groups).. but I cant do the same trick in `ipfw' cause
it is always `quick' :))
So that's why it is ugly and `ipfilter' is not too close to an ideal
:)
I bet firewall like `netfilter' of BSDi's `ipfw' is more useful and
convenient. The only thing about `netfilter' making me sick is its
Linux2.4orhigher-only nature. BSDi's firewall is no too far from BSD,
may be some day.. ;)
>>You said about 2 lines and was so busy to show these lines? Sounds
>>childish.
> Sorry, my IP Filter box is at home and I wasn't there when I sent that
> email. However the rules are in the IP Filter examples:
> block in all
> block out all
> (or replace all with from any to any)
>>(I think I got you, but you didn't get me right... yeah IPFILTER can
>>block BY DEFAULT... yeah it can be said in KERNEL config and so on...
>>but it will block ALL :) I was saying bout BLOCKING ALL EXCEPT TRANSIT
>>packets...)
> Ahh, had misread. Still possible though not so simply :-)
> <---SNIP--->
>>you mean you can say
>>
>>block all
>>
>>?
>>
>>so why your firewall rules are started by two statements? (block in,
>>and block out)?
> Ok, ok, I was having a bad day and didn't re-read my email :-) That's what
> I get for not taking my coffee.
I see...
And I can understand it... but, anyway, be more attentive in
interaction with the world :)
>>man 5 ipf, dude...
> <---SNIP--->
--
Igor mailto:poige@morning.ru
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic