ipfw3: match multiple ports in a rule
Chuck Musser
cmusser at sonic.net
Fri Nov 25 15:34:42 PST 2016
> On Nov 25, 2016, at 5:38 AM, Bill Yuan <bycn82 at gmail.com> wrote:
>
> Hi Chuck,
>
> Sorry for replying late. I was super busy recently.
>
> Yes, the ipfw3 supports 'or' block, and we can use 'or' to join all the filters. so your firewall rules can be shorten as:
>
> ipfw3 add [rule number] allow tcp to 1.2.3.4 dst-port 22 or 80
>
Not late at all. Thanks for the response.I tried something similar to what you are describing, but then those
services (HTTP and SSH) were not accessible. To isolate the problem, I've put together 2 minimal sets of rules
that I think should be functionally identical, but aren't:
Attempt #1 (non shortened), which works:
# External address: SSH sessions originating from elsewhere
ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22
ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22
# External address: HTTP sessions originating from elsewhere
ipfw3 add 15 set 1 allow tcp to 1.2.3.4 dst-port 80
ipfw3 add 22 set 1 allow tcp from 1.2.3.4 src-port 80
# External address: DNS requests
ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53
# External address: DNS responses
ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53
Attempt #2 (shortened with "or"), which didn't:
# External address: SSH or HTTP sessions originating from elsewhere
ipfw3 add 10 set 1 allow tcp to 1.2.3.4 dst-port 22 or 80
ipfw3 add 20 set 1 allow tcp from 1.2.3.4 src-port 22 or 80
# External address: DNS requests
ipfw3 add 30 set 1 allow ip from 1.2.3.4 dst-port 53
# External address: DNS responses
ipfw3 add 35 set 1 allow ip to 1.2.3.4 src-port 53
Notes:
1. I expected the combination of rules 10, 20, 15 and 22 from #1 to be equivalent to rules 10 and 20 from #2.
2. Rules 30 and 35 in both examples are to allow DNS queries to flow. These work fine.
More information about the Users
mailing list