IPFW IPFW Rules

Hi Team,

I want to understand the IP firewall rules. Consider the below rule
Code:
ipfw allow tcp/udp from any to me
What this rule will do? What me refers here? Is it IP address of my system that apply firewall rules? Or MAC address of the interface? I am using 4.2 FreeBSD stack. I am trying to deny the packets which doesn't contain the IP and port of my destiantion.

My source IP is 171.21.47.100
My Destination IP is : 171.21.47.128 port:2024

I want to deny the tcp/udp packets which does not contain destination IP? What rule should I use to deny the packets? Already I have tried to configure the flags ACCEPT ,DSTMSK, dstip and port number as well. But the packets are not getting dropped. Can you please help me to achieve the above scenario? What flag I need to set to achieve this?

Please find the code snippet given below which I am assuming will apply the following
rule
Code:
allow tcp/udp from any to <ip_addr>
To apply the above rule ,below code ll work? I am newbie to Firewall implementation.
Can you please help ?

if any sample code or reference please share it.

Code snippet:
Code:
   if(sa->sa_family == AF_INET)
  {

  /* Add the Firewall Rule to allow only tcp packet coming from any to me */
  bzero(&default_rule, sizeof default_rule);
  //rule number
  default_rule.fw_number = ruleno++;
  //allow
 default_rule.fw_flg |= IP_FW_F_ACCEPT;
  default_rule.fw_flg |= IP_FW_F_IN | IP_FW_F_OUT;
  //TCP
  default_rule.fw_prot = IPPROTO_TCP | IPPROTO_UDP;
  default_rule.fw_nports &= ~0xf0;
  default_rule.fw_nports |= sain->sin_port << 4; // destination port
  //from any to me
  default_rule.fw_flg |= IP_FW_F_DME;
  default_rule.fw_flg |= IP_FW_F_DMSK;
  error = add_entry(&ip_fw_chain, &default_rule);
  }

Thanks,
Sathiyaraj
 
Last edited by a moderator:
In IPFW "me" means anything the server considers itself: all interfaces and ip addresses qualify as "me"
The most restrictive version would be:

Code:
ipfw add allow all from 171.21.47.100 to 171.21.47.128 2024
ipfw add drop all from any to any

Make sure you have a rule to allow network packets to flow through the loopback interface (lo).
 
Back
Top