IPFW Help limiting connections to IP ranges

CanOfBees

Member

Reaction score: 1
Messages: 59

Hi all -

I'm trying to play around with setting up an IPFW that limits connections to only IP ranges in my organization's domain. I'm used to using a default firewall_enable="YES" and firewall_type="workstation" in /etc/rc.conf, and haven't found anything explicit in the ipfw(8)() man page. But! that's probably because I don't know exactly what to look for: I'm generally weak with network-related topics.

I would like to only allow connections from IP addresses, using 1.23.0.0 as an example starting range, as follows:
Bash:
#!/bin/sh

ipfw -q -f flush

lo="lo0"
iif="bge0"
cmd="ipfw -q add"
ks="keep-state"

# possible?
$cmd 00300 allow all from 1.23.0.0-1.23.215.254 to any in via $iif
# more likely?
$cmd 00300 allow all from 1.23.0.0/17 to any in via $iif
$cmd 00301 allow all from 1.23.128.0/18 to any in via $iif
$cmd 00302 allow all from 1.23.192.0/20 to any in via $iif
# etc
# some kind of final expression to block all external traffic
$cmd 00999 deny all from all to all
Is there a shorthand syntax for expressing a range instead of using the CIDR notation?
Thanks in advance for your thoughts.
 

VladiBG

Aspiring Daemon

Reaction score: 209
Messages: 513

Re-read the man page of ipfw(8) (below RULE BODY) is shown the syntax.

Above example will block the Internet traffic to your host and also will prevent your host to initialize outgoing connection. The default rule of ipfw is to block all so you don't need rule 00999.
If you want to allow the host to talk to the others you will need something like:

Code:
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 1
01000 allow ip6 from any to any proto ipv6-icmp ip6 icmp6types 2,135,136
01100 check-state :default
01200 allow tcp from me to any established
01300 allow tcp from me to any setup keep-state :default
01400 allow udp from me to any keep-state :default
01500 allow icmp from me to any keep-state :default
01600 allow ipv6-icmp from me to any keep-state :default
01700 allow udp from 0.0.0.0 68 to 255.255.255.255 67 out
01800 allow udp from any 67 to me 68 in
01900 allow udp from any 67 to 255.255.255.255 68 in
02000 allow udp from fe80::/10 to me 546 in
02100 allow icmp from any to me icmptypes 8
02200 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 128,129
02300 allow icmp from any to me icmptypes 3,4,11
02400 allow ip6 from any to me proto ipv6-icmp ip6 icmp6types 3
02500 allow tcp from 1.23.0.0/16 to me
65535 deny ip from any to any
Additionally, sets of alternative match patterns (or-blocks) can be con-
structed by putting the patterns in lists enclosed between parentheses (
) or braces { }, and using the or operator as follows:

ipfw add 100 allow ip from { x or not y or z } to any

ip-addr:
A host or subnet address specified in one of the following ways:

numeric-ip | hostname
Matches a single IPv4 address, specified as dotted-quad
or a hostname. Hostnames are resolved at the time the
rule is added to the firewall list.

addr/masklen
Matches all addresses with base addr (specified as an IP
address, a network number, or a hostname) and mask width
of masklen bits. As an example, 1.2.3.4/25 or 1.2.3.0/25
will match all IP numbers from 1.2.3.0 to 1.2.3.127 .

addr:mask
Matches all addresses with base addr (specified as an IP
address, a network number, or a hostname) and the mask of
mask, specified as a dotted quad. As an example,
1.2.3.4:255.0.255.0 or 1.0.3.0:255.0.255.0 will match
1.*.3.*. This form is advised only for non-contiguous
masks. It is better to resort to the addr/masklen format
for contiguous masks, which is more compact and less
error-prone.
 
OP
OP
CanOfBees

CanOfBees

Member

Reaction score: 1
Messages: 59

VladiBG - hey! Thank you so much for the response. I'll give the man page a re-read.

Best,
CoB
 

VladiBG

Aspiring Daemon

Reaction score: 209
Messages: 513

IF you put all addresses in separate rules will be easy to read latter on so you may want to stay with your example
10 allow all from 1.23.0.0/17 to me
20 allow all from 1.23.128.0/18 to me
30 allow all from 1.23.192.0/20 to me

or you can deny and then allow the rest

10 deny all from 1.23.216.0/21 to me
20 deny all from 1.23.231.0/22 to me
..
99 allow all from 1.23.0.0/16 to me
 
Top