Convert iptables rule to ipfw

[senejani]

How can I convert the following iptables rule to ipfw rule?

iptables -v -I INPUT 1 -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –set –name dnsanyquery
iptables -v -I INPUT 2 -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –name dnsanyquery –rcheck –seconds 10 –hitcount 3 -j DROP

iptables -v -A INPUT -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –set –name dnsanyquery
iptables -v -A INPUT -p udp –dport 53 -m string –from 50 –algo bm –hex-string ‘|0000FF0001|’ -m recent –name dnsanyquery –rcheck –seconds 10 –hitcount 3 -j DROP

iptables -v -A INPUT -p udp –dport 53 -m recent –set –name dnsanyquery
iptables -v -A INPUT -p udp –dport 53 -m recent –name dnsanyquery –rcheck –seconds 1 –hitcount 10 -j DROP

 

[SirDice]

What are these rules supposed to do?

 

[kpa]

Those look like layer 7 rules, in other words filtering by packet contents. I don't think you can do such filtering yet with vanilla FreeBSD. PfSense may be able to some form of layer 7 filtering but I haven't been following it lately.

 

[ShelLuser]

How can I convert the following iptables rule to ipfw rule?

Well, simply put you can't since IPFW doesn't support packet content matching.

Why not try to re-phrase your question and instead try explaining what it is you're trying to achieve with all this? That's bound to get you much better results, because right now you're more of less assuming that the people here know about iptables, but not everyone uses Linux ;-)

My assumption is that you're trying to filter out 'bad' packages which shouldn't make it to the DNS server, in combination with some throttling. Even so, in my opinion this kind of filtering is a bit overrated sometimes, although IPFW should be able to cope with throttling as well.