Solved IPFW settings no longer work

Sub4sub · Apr 21, 2022

I have a question about IPFW. EXTERNAL INTERFACE is the external address a router running FreeBSD as a network gateway. IPFW rules are as follows. These are dynamic rules.

Code:

#EXTERNAL INTERFACE
ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from me to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from me to any 67 out keep-state via $ext_if

ipfw -q add 1800 allow tcp from me to any 53 out setup keep-state via $ext_if
ipfw -q add 1900 allow udp from me to any 53 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from me to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from me to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

It worked. But while tuning the firewall for other needs, it suddenly stopped.
I had to pull 1800 1900 rules before the static blocking rule, which blocking all incoming connections that are not established from the router.
It also doesn't work when instead of "me", which is the router's IP, there is "any", which is whatever is on that output.
At this point it is set up as follows, and it works:

Code:

ipfw -q add 1210 allow tcp from $my_ip to any 53 out setup keep-state via $ext_if
ipfw -q add 1220 allow udp from $my_ip to any 53 out keep-state via $ext_if

ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from $my_ip to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from $my_ip to any 67 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from $my_ip to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from $my_ip to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

The log shows blocking on rule 1300 when port 53 is placed under static rule.

My question is:
Why did it work at first?
How did it work why did it stop?

VladiBG · Apr 21, 2022

without posting the entire rule set it's hard to tell if you have check-state or not.

Sub4sub · Apr 21, 2022

I did not set the check-state because it doesn't make sense. It just worked and stopped.

Code:

ipfw -q -f flush

ext_if="re0"
int_if="igb0"
my_ip="192.168.1.46"

#ipfw -q add 100 allow log all from any to any
#ipfw -q add 200 deny icmp from any to any

#IPv6
ipfw -q add 300 deny ipv6 from any to any
ipfw -q add 400 deny all from any to any frag

#LOOPBACK lo0
ipfw -q add 500 allow all from any to any via lo0

#NTPDATE
#ipfw -q add 600 allow udp from $my_ip to any dst-port 123 out keep-state

#EXTERNAL INTERFACE
ipfw -q add 900 allow tcp from any 9001 to $my_ip in via $ext_if
ipfw -q add 1000 allow tcp from any 9030 to $my_ip in via $ext_if
ipfw -q add 1100 allow tcp from $my_ip to any 9001 out via $ext_if
ipfw -q add 1200 allow tcp from $my_ip to any 9030 out via $ext_if

ipfw -q add 1210 allow tcp from $my_ip to any 53 out setup keep-state via $ext_if
ipfw -q add 1220 allow udp from $my_ip to any 53 out keep-state via $ext_if

ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from $my_ip to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from $my_ip to any 67 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from $my_ip to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from $my_ip to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

#INTERIAL INTERFACE
ipfw -q add 2300 allow tcp from 10.1.1.0/24 to 10.1.1.1 1234 in via $int_if
ipfw -q add 2400 allow tcp from 10.1.1.1 1234 to 10.1.1.0/24 out via $int_if

ipfw -q add 2500 allow tcp from 10.1.1.1 445 to 10.1.1.0/24 out via $int_if
ipfw -q add 2600 allow tcp from 10.1.1.1 139 to 10.1.1.0/24 out via $int_if
ipfw -q add 2700 allow udp from 10.1.1.1 138 to 10.1.1.0/24 out via $int_if
ipfw -q add 2800 allow udp from 10.1.1.1 137 to 10.1.1.0/24 out via $int_if

ipfw -q add 2900 allow tcp from 127.0.0.1 9050 to 10.1.1.0/24 out via $int_if
ipfw -q add 3000 allow udp from 127.0.0.1 9053 to 10.1.1.0/24 out via $int_if

ipfw -q add 3100 deny all from any to any out via $int_if

ipfw -q add 3200 allow udp from 10.1.1.0/24 to any 68 in keep-state via $int_if
ipfw -q add 3300 allow udp from 10.1.1.0/24 to any 67 in keep-state via $int_if

ipfw -q add 3400 allow tcp from 10.1.1.0/24 to any 53 in setup keep-state via $int_if
ipfw -q add 3500 allow udp from 10.1.1.0/24 to any 53 in keep-state via $int_if

ipfw -q add 3600 allow tcp from 10.1.1.0/24 to any 80 in setup keep-state via $int_if
ipfw -q add 3700 allow tcp from 10.1.1.0/24 to any 443 in setup keep-state via $int_if

ipfw -q add 3800 allow tcp from 10.1.1.0/24 to 10.1.1.1 445 in via $int_if
ipfw -q add 3900 allow tcp from 10.1.1.0/24 to 10.1.1.1 139 in via $int_if
ipfw -q add 4000 allow udp from 10.1.1.0/24 to 10.1.1.1 137 in via $int_if
ipfw -q add 4100 allow udp from 10.1.1.0/24 to 10.1.1.255 137 in via $int_if

ipfw -q add 4200 allow tcp from 10.1.1.0/24 to 10.1.1.1 dst-port 8080 in setup keep-state via $int_if

ipfw -q add 4300 deny all from any to any via $int_if

#BLOCKING
ipfw -q add 4400 deny all from 10.0.0.0/8 to any
ipfw -q add 4500 deny all from any to 10.0.0.0/8

ipfw -q add 4600 deny all from 192.168.0.0/16 to any
ipfw -q add 4700 deny all from any to 192.168.0.0/16

ipfw -q add 4800 deny all from 172.16.0.0/16 to any
ipfw -q add 4900 deny all from any to 172.16.0.0/16

ipfw -q add 5000 deny all from 172.17.0.0/16 to any
ipfw -q add 5100 deny all from any to 172.17.0.0/16

ipfw -q add 5200 deny all from 172.18.0.0/16 to any
ipfw -q add 5300 deny all from any to 172.18.0.0/16

ipfw -q add 5400 deny all from 172.19.0.0/16 to any
ipfw -q add 5500 deny all from any to 172.19.0.0/16

ipfw -q add 5600 deny all from 172.20.0.0/16 to any
ipfw -q add 5700 deny all from any to 172.20.0.0/16

ipfw -q add 5800 deny all from 172.21.0.0/16 to any
ipfw -q add 5900 deny all from any to 172.21.0.0/16

ipfw -q add 6000 deny all from 172.22.0.0/16 to any
ipfw -q add 6100 deny all from any to 172.22.0.0/16

ipfw -q add 6200 deny all from 172.23.0.0/16 to any
ipfw -q add 6300 deny all from any to 172.23.0.0/16

ipfw -q add 6400 deny all from 172.24.0.0/16 to any
ipfw -q add 6500 deny all from any to 172.24.0.0/16

ipfw -q add 6600 deny all from 172.25.0.0/16 to any
ipfw -q add 6700 deny all from any to 172.25.0.0/16

ipfw -q add 6800 deny all from 172.26.0.0/16 to any
ipfw -q add 6900 deny all from any to 172.26.0.0/16

ipfw -q add 7000 deny all from 172.27.0.0/16 to any
ipfw -q add 7100 deny all from any to 172.27.0.0/16

ipfw -q add 7200 deny all from 172.28.0.0/16 to any
ipfw -q add 7300 deny all from any to 172.28.0.0/16

ipfw -q add 7400 deny all from 172.29.0.0/16 to any
ipfw -q add 7500 deny all from any to 172.29.0.0/16

ipfw -q add 7600  deny all from 172.30.0.0/16 to any
ipfw -q add 7700 deny all from any to 172.30.0.0/16

ipfw -q add 7800 deny all from 172.31.0.0/16 to any
ipfw -q add 7900 deny all from any to 172.31.0.0/16

ipfw -q add 8000 deny all from any to any

VladiBG · Apr 21, 2022

ipfw(8)

If the ruleset includes one or more rules with the keep-state,
record-state, limit or set-limit option, the firewall will have a
stateful behaviour, i.e., upon a match it will create dynamic rules,
i.e., rules that match packets with the same 5-tuple (protocol, source
and destination addresses and ports) as the packet which caused their
creation. Dynamic rules, which have a limited lifetime, are checked at
the first occurrence of a check-state, keep-state or limit rule, and are
typically used to open the firewall on-demand to legitimate traffic only.
Please note, that keep-state and limit imply implicit check-state for all
packets (not only these matched by the rule) but record-state and
set-limit have no implicit check-state. See the STATEFUL FIREWALL and
EXAMPLES Sections below for more information on the stateful behaviour of
ipfw.

Edit:
You need to review all your rules. For example rules from 4300 - 7900 are not needed as rule 8000 catch all of them.
Edit2: even rule 8000 is not needed as there's a default 65535 deny all. Unless you modify net.inet.ip.fw.default_to_accept=0 in sysctl.

Sub4sub · Apr 21, 2022

But the rest of the rules without check-state work.

VladiBG · Apr 21, 2022

It's not how the stateful firewall is working.

create a new rule 510 check-state

Sub4sub · Apr 21, 2022

I added. It's not working.

Dns must be before the static rule.

Also, check-state creates a loophole. Because it allows packets to come in from a closed session. And it starts packet traffic that is not related to anything.

For example.
I go to the website xyz.com.
Dynamic rules create a "tunnel" that is associated with visiting the site.
I close the browser session, so the dynamic rule closes too, because the traffic "from me" is finished.

Check-state allows this session to open back up from the xyz.com website which is not initiated by me.

Just why it worked in the beginning?

PMc · Apr 21, 2022

Sub4sub said:
I have a question about IPFW. EXTERNAL INTERFACE is the external address a router running FreeBSD as a network gateway. IPFW rules are as follows. These are dynamic rules.

Code:

#EXTERNAL INTERFACE ipfw -q add 1300 deny all from any to any in via $ext_if ipfw -q add 1400 allow udp from me to any 68 out keep-state via $ext_if ipfw -q add 1500 allow udp from me to any 67 out keep-state via $ext_if ipfw -q add 1800 allow tcp from me to any 53 out setup keep-state via $ext_if ipfw -q add 1900 allow udp from me to any 53 out keep-state via $ext_if ipfw -q add 2000 allow tcp from me to any 80 out setup keep-state via $ext_if ipfw -q add 2100 allow tcp from me to any 443 out setup keep-state via $ext_if ipfw -q add 2200 deny all from any to any via $ext_if

It worked. But while tuning the firewall for other needs, it suddenly stopped.
I had to pull 1800 1900 rules before the static blocking rule, which blocking all incoming connections that are not established from the router.

Yepp. That's obvious so far.

Sub4sub said:
It also doesn't work when instead of "me", which is the router's IP, there is "any", which is whatever is on that output.

There is a flaw in the code. You write out keep-state via $ext_if, and this is a shorthand for out keep-state {recv $ext_if or xmit $ext_if}. What you actually want to write is out keep-state xmit $ext_if,
I don't think this is the cause of your problem, but it can create creepy errors.

Sub4sub said:

At this point it is set up as follows, and it works:

Code:

ipfw -q add 1210 allow tcp from $my_ip to any 53 out setup keep-state via $ext_if
ipfw -q add 1220 allow udp from $my_ip to any 53 out keep-state via $ext_if

ipfw -q add 1300 deny all from any to any in via $ext_if

ipfw -q add 1400 allow udp from $my_ip to any 68 out keep-state via $ext_if
ipfw -q add 1500 allow udp from $my_ip to any 67 out keep-state via $ext_if

ipfw -q add 2000 allow tcp from $my_ip to any 80 out setup keep-state via $ext_if
ipfw -q add 2100 allow tcp from $my_ip to any 443 out setup keep-state via $ext_if

ipfw -q add 2200 deny all from any to any via $ext_if

The log shows blocking on rule 1300 when port 53 is placed under static rule.

Yes. Rule 1300 does throw away all incoming. So You can send out packets, but what happens to the replies to these packets? They are dropped.
You do keep-state on your outgoing packets, that alone does not allow for the replies to come in when they are dropped beforehand. Only at the first check-state or keep-state are the stateful dynamic rules checked. So in Your second version there is a keep-state before the drop rule 1300. And there it checks all the dynamic rules - and then it works.

Sub4sub said:
My question is:
Why did it work at first?
How did it work why did it stop?

I don't believe it did work at first.

Sub4sub · Apr 21, 2022

You do keep-state on your outgoing packets, that alone does not allow for the replies to come in when they are dropped beforehand. Only at the first check-state or keep-state are the stateful dynamic rules checked.

Maybe it's a "cache" problem?
The very existence of the check-state function suggests the existence of a cache for the firewall.
Maybe it is possible to reset cache somehow or rinse the previous rules properly? I don't know.
Or some parameter in loader.conf has to be set?

There is a flaw in the code. You write out keep-state via $ext_if, and this is a shorthand for out keep-state (recv $ext_if or xmit $ext_if). What you actually want to write is out keep-state xmit $ext_if,
I don't think this is the cause of your problem, but it can create creepy errors.

xmit - I have not encountered this in any manual on IPFW.

This would also not work for 80 and 443 which are under a static (1300) rule. But it works.

I set it two days ago for local_unbound. It worked, only TOR was blocked. It was late in the day. The other day I was setting rules for TOR and it broke. https://forums.freebsd.org/threads/local-unbound-config-not-working.84876/#post-564122 The last photo is from when IPFW was operating in the "first variant".

Code:

root@router:~ # ipfw list
00300 deny ip6 from any to any
00400 deny ip from any to any frag offset
00500 allow ip from any to any via lo0
00900 allow tcp from any 9001 to 192.168.1.46 in via re0
01000 allow tcp from any 9030 to 192.168.1.46 in via re0
01100 allow tcp from 192.168.1.46 to any 9001 out via re0
01200 allow tcp from 192.168.1.46 to any 9030 out via re0
01210 allow tcp from 192.168.1.46 to any 53 out setup via re0 keep-state :default
01220 allow udp from 192.168.1.46 to any 53 out via re0 keep-state :default
01300 deny ip from any to any in via re0
01400 allow udp from 192.168.1.46 to any 68 out via re0 keep-state :default
01500 allow udp from 192.168.1.46 to any 67 out via re0 keep-state :default
02000 allow tcp from 192.168.1.46 to any 80 out setup via re0 keep-state :default
02100 allow tcp from 192.168.1.46 to any 443 out setup via re0 keep-state :default
02200 deny ip from any to any via re0
02300 allow tcp from 10.1.1.0/24 to 10.1.1.1 1234 in via igb0
02400 allow tcp from 10.1.1.1 1234 to 10.1.1.0/24 out via igb0
02500 allow tcp from 10.1.1.1 445 to 10.1.1.0/24 out via igb0
02600 allow tcp from 10.1.1.1 139 to 10.1.1.0/24 out via igb0
02700 allow udp from 10.1.1.1 138 to 10.1.1.0/24 out via igb0
02800 allow udp from 10.1.1.1 137 to 10.1.1.0/24 out via igb0
02900 allow tcp from 127.0.0.1 9050 to 10.1.1.0/24 out via igb0
03000 allow udp from 127.0.0.1 9053 to 10.1.1.0/24 out via igb0
03100 deny ip from any to any out via igb0
03200 allow udp from 10.1.1.0/24 to any 68 in via igb0 keep-state :default
03300 allow udp from 10.1.1.0/24 to any 67 in via igb0 keep-state :default
03400 allow tcp from 10.1.1.0/24 to any 53 in setup via igb0 keep-state :default
03500 allow udp from 10.1.1.0/24 to any 53 in via igb0 keep-state :default
03600 allow tcp from 10.1.1.0/24 to any 80 in setup via igb0 keep-state :default
03700 allow tcp from 10.1.1.0/24 to any 443 in setup via igb0 keep-state :default
03800 allow tcp from 10.1.1.0/24 to 10.1.1.1 445 in via igb0
03900 allow tcp from 10.1.1.0/24 to 10.1.1.1 139 in via igb0
04000 allow udp from 10.1.1.0/24 to 10.1.1.1 137 in via igb0
04100 allow udp from 10.1.1.0/24 to 10.1.1.255 137 in via igb0
04200 allow tcp from 10.1.1.0/24 to 10.1.1.1 8080 in setup via igb0 keep-state :default
04300 deny ip from any to any via igb0
04400 deny ip from 10.0.0.0/8 to any
04500 deny ip from any to 10.0.0.0/8
04600 deny ip from 192.168.0.0/16 to any
04700 deny ip from any to 192.168.0.0/16
04800 deny ip from 172.16.0.0/16 to any
04900 deny ip from any to 172.16.0.0/16
05000 deny ip from 172.17.0.0/16 to any
05100 deny ip from any to 172.17.0.0/16
05200 deny ip from 172.18.0.0/16 to any
05300 deny ip from any to 172.18.0.0/16
05400 deny ip from 172.19.0.0/16 to any
05500 deny ip from any to 172.19.0.0/16
05600 deny ip from 172.20.0.0/16 to any
05700 deny ip from any to 172.20.0.0/16
05800 deny ip from 172.21.0.0/16 to any
05900 deny ip from any to 172.21.0.0/16
06000 deny ip from 172.22.0.0/16 to any
06100 deny ip from any to 172.22.0.0/16
06200 deny ip from 172.23.0.0/16 to any
06300 deny ip from any to 172.23.0.0/16
06400 deny ip from 172.24.0.0/16 to any
06500 deny ip from any to 172.24.0.0/16
06600 deny ip from 172.25.0.0/16 to any
06700 deny ip from any to 172.25.0.0/16
06800 deny ip from 172.26.0.0/16 to any
06900 deny ip from any to 172.26.0.0/16
07000 deny ip from 172.27.0.0/16 to any
07100 deny ip from any to 172.27.0.0/16
07200 deny ip from 172.28.0.0/16 to any
07300 deny ip from any to 172.28.0.0/16
07400 deny ip from 172.29.0.0/16 to any
07500 deny ip from any to 172.29.0.0/16
07600 deny ip from 172.30.0.0/16 to any
07700 deny ip from any to 172.30.0.0/16
07800 deny ip from 172.31.0.0/16 to any
07900 deny ip from any to 172.31.0.0/16
08000 deny ip from any to any
65535 deny ip from any to any

PMc · Apr 21, 2022

Sub4sub said:
I added. It's not working.

Dns must be before the static rule.

Strange. Would have to look at the whole thing.

Sub4sub said:
Also, check-state creates a loophole. Because it allows packets to come in from a closed session. And it starts packet traffic that is not related to anything.

For example.
I go to the website xyz.com.
Dynamic rules create a "tunnel" that is associated with visiting the site.
I close the browser session, so the dynamic rule closes too, because the traffic "from me" is finished.

Check-state allows this session to open back up from the xyz.com website which is not initiated by me.

No. You close the browser session, a FIN packet is sent, the dynamic rules are removed.
Or, you crash the ~~browser~~ kernel(*), no FIN packet is sent, the dynamic rules will continue to exist for 300 seconds (default). That means, the flow is open for exactly this 5-tuple (TCP, same IPs, same ports). Then somebody can send in a packet onto exactly that port of yours - but that has to be a SYN packet, because the original flow is already dead. Besides that there is now nothing on your side to receive this, you could also just drop all TCP-setup from the outside, before the first keep-state.

(*)Edit - correction: the tcp flows are maintained by the kernel, so on browser crash the flow should be closed nevertheless.

Sub4sub said:
It looked like the guests left, but moments later they entered the apartment without asking because they forgot their keys.

Yes, but not that easy.

PMc · Apr 21, 2022

Sub4sub said:
Maybe it's a "cache" problem?
The very existence of the check-state function suggests the existence of a cache for the firewall.

Then just look at the current cache contents. ipfw -d show will list it at the end of the ruleset, and show the countdown on their lifetime.

PMc · Apr 21, 2022

Sub4sub said:
xmit - I have not encountered this in any manual on IPFW.

Should be in the man-page, alongside with the via option.

Sub4sub said:
This would also not work for 80 and 443 which are under a static (1300) rule. But it works.

For stateful rules the content of the rule itself is irrelevant.
Lets go thru it:

You open a browser session from 192.168.1.1 port 45678 to 9.10.11.12 port 80.
Rule 2000 allows the outgoing SYN (=setup) packet and keep-states it. Now the 5-tuple (TCP, 192.168.1.1, 45678, 9.10.11.12, 80) is in the cache.
The webserver sends a SYN ACK reply packet. The ruleset is walked, and reaches (in your second version) rule 1210. The rule does not match, but there is a keep-state, and that is executed independently and checks the entire cache, always on first occurrence (and only once).
The 5-tuple of our cached rule matches (source and dest is swapped, but that does not matter for dynamic rules).
So now we jump to the original rule that created the matching dynamic rule - that is 2000. We do not check that rule again, but we execute the action from that rule (and incrrement the counter here, not on 1210!) - which is "allow". Here the story ends, the packet is allowed (but if that were not "allow" or "drop", then we would continue in the ruleset after rule 2000).

I admit it is not all intuitive, but I didn't build it, and one can work with this. Anyway, it is built for speed, not for comfort (for comfort I wrote a gui frontend).

PMc · Apr 21, 2022

You want to remove that dynamic cache listing - it shows the webservers you are currently talking to.

Sub4sub · Apr 21, 2022

Edit:

Code:

That was my mistake.

Not log deny all but deny log all.

Sorry.

Code:

Apr 21 14:58:44 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:59942 in via re0
Apr 21 14:58:44 router kernel: ipfw: 1300 Deny TCP 52.114.90.51:443 192.168.1.46:57303 in via re0
Apr 21 14:58:44 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:54065 in via re0
Apr 21 14:58:44 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:51456 in via re0
Apr 21 14:58:45 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:52098 in via re0
Apr 21 14:58:46 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:65133 in via re0
Apr 21 14:58:46 router kernel: ipfw: 1300 Deny TCP 216.58.215.68:443 192.168.1.46:57019 in via re0
Apr 21 14:58:46 router kernel: ipfw: 1300 Deny TCP 52.114.90.64:443 192.168.1.46:63637 in via re0
Apr 21 14:58:46 router kernel: ipfw: 1300 Deny TCP 52.114.76.237:443 192.168.1.46:60256 in via re0
Apr 21 14:58:46 router kernel: ipfw: 1300 Deny TCP 52.114.90.43:443 192.168.1.46:56782 in via re0
Apr 21 14:58:47 router kernel: ipfw: 1300 Deny TCP 52.114.90.45:443 192.168.1.46:59926 in via re0
Apr 21 14:58:47 router kernel: ipfw: 1300 Deny TCP 52.113.205.220:443 192.168.1.46:61878 in via re0

smithi · Apr 25, 2022

Sub4sub said:
xmit - I have not encountered this in any manual on IPFW.

The only manual on ipfw that counts is ipfw(8), ie man ipfw

The handbook section on ipfw still has some major issues and outright errors; ipfw(8) is definitive.

Use a modified copy of /etc/rc.firewall. Those rulesets were built by the authors and other FreeBSD network wizards, and are generally superior, especially to those in the handbook section.

In the 'simple' ruleset you will see a neat solution (using a table) to the below messy duplication, which in any case comes to 172.16.0.0/12 (16 /16s). Note carefully the placement of these rules, again in rc.firewall 'simple'.

Sub4sub said:
172.16.0.0/16 to any
04900 deny ip from any to 172.16.0.0/16
05000 deny ip from 172.17.0.0/16 to any
05100 deny ip from any to 172.17.0.0/16
05200 deny ip from 172.18.0.0/16 to any
05300 deny ip from any to 172.18.0.0/16
05400 deny ip from 172.19.0.0/16 to any
05500 deny ip from any to 172.19.0.0/16
05600 deny ip from 172.20.0.0/16 to any
05700 deny ip from any to 172.20.0.0/16
05800 deny ip from 172.21.0.0/16 to any
05900 deny ip from any to 172.21.0.0/16
06000 deny ip from 172.22.0.0/16 to any
06100 deny ip from any to 172.22.0.0/16
06200 deny ip from 172.23.0.0/16 to any
06300 deny ip from any to 172.23.0.0/16
06400 deny ip from 172.24.0.0/16 to any
06500 deny ip from any to 172.24.0.0/16
06600 deny ip from 172.25.0.0/16 to any
06700 deny ip from any to 172.25.0.0/16
06800 deny ip from 172.26.0.0/16 to any
06900 deny ip from any to 172.26.0.0/16
07000 deny ip from 172.27.0.0/16 to any
07100 deny ip from any to 172.27.0.0/16
07200 deny ip from 172.28.0.0/16 to any
07300 deny ip from any to 172.28.0.0/16
07400 deny ip from 172.29.0.0/16 to any
07500 deny ip from any to 172.29.0.0/16
07600 deny ip from 172.30.0.0/16 to any
07700 deny ip from any to 172.30.0.0/16
07800 deny ip from 172.31.0.0/16 to any
07900 deny ip from any to 172.31.0.0/16
08000 deny ip from any to any
65535 deny ip from any to any
[/CODE]