ipfw3: match multiple ports in a rule

Bill Yuan bycn82 at gmail.com
Fri Nov 25 19:21:16 PST 2016 

​Hi Chuck,
​
By default, the filters are joined with 'and'. and currently the 'or' can
join the filter which is same as previous one.

Technically we can enhance it by supporting different type of filter to
make it more flexible.

Regards,
Bill Yuan


On 26 November 2016 at 07:34, Chuck Musser <cmusser at sonic.net> wrote:

>
> > On Nov 25, 2016, at 5:38 AM, Bill Yuan <bycn82 at gmail.com> wrote:
> >
> > Hi Chuck,
> >
> > Sorry for replying late. I was super busy recently.
> >
> > Yes, the ipfw3 supports 'or' block, and we can use 'or' to join all the
> filters. so your firewall rules can be shorten as:
> >
> >       ipfw3 add [rule number] allow tcp to 1.2.3.4 dst-port 22 or 80
> >
>
> Not late at all. Thanks for the response.I tried something similar to what
> you are describing, but then those
> services (HTTP and SSH) were not accessible. To isolate the problem, I've
> put together 2 minimal sets of rules
> that I think should be functionally identical, but aren't:
>
> Attempt #1 (non shortened), which works:
>
> # External address: SSH sessions originating from elsewhere
> ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22
> ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22
>
> # External address: HTTP sessions originating from elsewhere
> ipfw3 add 15 set 1 allow tcp to 1.2.3.4 dst-port 80
> ipfw3 add 22 set 1 allow tcp from 1.2.3.4 src-port 80
>
> # External address: DNS requests
> ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53
>
> # External address: DNS responses
> ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53
>
>
> Attempt #2 (shortened with "or"), which didn't:
>
> # External address: SSH or HTTP sessions originating from elsewhere
> ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22 or 80
> ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22 or 80
>
> # External address: DNS requests
> ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53
>
> # External address: DNS responses
> ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53
>
> Notes:
>
> 1. I expected the combination of rules 10, 20, 15 and 22 from #1 to be
> equivalent to rules 10 and 20 from #2.
> 2. Rules 30 and 35 in both examples are to allow DNS queries to flow.
> These work fine.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20161126/4c65af28/attachment-0001.htm>

More information about the Users mailing list