ipfw3: match multiple ports in a rule

Chuck Musser cmusser at sonic.net
Wed Nov 23 23:51:31 PST 2016


I've begun to explore ipfw3 and gotten some basic firewalling going, but I have
a few questions about the configuration syntax.

Given that I want to allow access to the web and SSH servers, my
initial attempt at rules looked like:

# External address: incoming SSH and HTTP requests                              
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22                        
ipfw3 add 15 allow tcp to 1.2.3.4 dst-port 80                        
                                                                                
# External address: outgoing SSH and HTTP responses   
ipfw3 add 20 allow tcp from 1.2.3.4 src-port 22                      
ipfw3 add 22 allow tcp from 1.2.3.4 src-port 80

I tried to combine each of those rule pairs by trying to create a single rule that specifies
more than one port, The man page mentions lists of ports and something called
an "or-block", but I didn't understand how to create a valid rule.

I tried all of these, which failed with various error messages:

ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22 and dst-port 80
ipfw3 add 10 allow tcp to 1.2.3.4 { dst-port 22 and dst-port 80 }
ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22,80
ipfw3 add 10 allow tcp to 1.2.3.4 22,80

And this one gave no error message, but clients were unable to connect:

ipfw3 add 10 allow tcp to 1.2.3.4 dst-port 22 or 80

Is there a way to make this particular set of rules more compact? I guess what I'm 
after is a clearer explanation of how to combine the various matching criteria 
with "or" and "and" operators.

Chuck


More information about the Users mailing list