ipfw3: match multiple ports in a rule
Chuck Musser
cmusser at sonic.net
Wed Nov 23 23:51:31 PST 2016
I've begun to explore ipfw3 and gotten some basic firewalling going, but I have
a few questions about the configuration syntax.
Given that I want to allow access to the web and SSH servers, my
initial attempt at rules looked like:
# External address: incoming SSH and HTTP requests
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22
ipfw3 add 15 allow tcp to 1.2.3.4 dst-port 80
# External address: outgoing SSH and HTTP responses
ipfw3 add 20 allow tcp from 1.2.3.4 src-port 22
ipfw3 add 22 allow tcp from 1.2.3.4 src-port 80
I tried to combine each of those rule pairs by trying to create a single rule that specifies
more than one port, The man page mentions lists of ports and something called
an "or-block", but I didn't understand how to create a valid rule.
I tried all of these, which failed with various error messages:
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22 and dst-port 80
ipfw3 add 10 allow tcp to 1.2.3.4 { dst-port 22 and dst-port 80 }
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22,80
ipfw3 add 10 allow tcp to 1.2.3.4 22,80
And this one gave no error message, but clients were unable to connect:
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22 or 80
Is there a way to make this particular set of rules more compact? I guess what I'm
after is a clearer explanation of how to combine the various matching criteria
with "or" and "and" operators.
Chuck
More information about the Users
mailing list