Solved IPFW Tables

cheslavic

New Member


Messages: 8

Good afternoon,

I have got problem with tables. I want to add IP ranges in CIDR format to table(1), but when I reload rules an error ipfw: Unable to parse value 78.30.64.0/18 persist. What can cause it? Below are the config files.

/usr/local/etc/ipfw.conf:

Code:
cmd="ipfw -q add"
ipfw -q -f flush
ipfw table 1 flush
cat /usr/local/etc/ip-allow.txt | xargs ipfw table 1 add
$cmd 00100 allow ip from any to any via lo0
$cmd 00200 deny ip from any to 127.0.0.0/8
$cmd 00300 deny ip from 127.0.0.0/8 to any
$cmd 00400 deny ip from any to ::1
$cmd 00500 deny ip from ::1 to any
$cmd 00600 allow ipv6-icmp from :: to ff02::/16
$cmd 00700 allow ipv6-icmp from fe80::/10 to fe80::/10
$cmd 00800 allow ipv6-icmp from fe80::/10 to ff02::/16
$cmd 00900 allow ipv6-icmp from any to any ip6 icmp6types 1
$cmd 01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
$cmd 01100 check-state
$cmd 01200 allow tcp from me to any established
$cmd 01300 allow tcp from me to any setup keep-state
$cmd 01400 allow udp from me to any keep-state
$cmd 01500 allow icmp from me to any keep-state
$cmd 01600 allow ipv6-icmp from me to any keep-state
$cmd 01700 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
$cmd 01800 allow udp from any 67 to me dst-port 68 in
$cmd 01900 allow udp from any 67 to 255.255.255.255 dst-port 68 in
$cmd 02000 allow udp from fe80::/10 to me dst-port 546 in
$cmd 02100 allow icmp from any to any icmptypes 8
$cmd 02200 allow ipv6-icmp from any to any ip6 icmp6types 128,129
$cmd 02300 allow icmp from any to any icmptypes 3,4,11
$cmd 02400 allow ipv6-icmp from any to any ip6 icmp6types 3
$cmd 02500 allow ip from 192.168.1.0/28 to me
$cmd 02600 allow tcp from "table(1)" to me dst-port 22 in
$cmd 02700 allow tcp from "table(1)" to me dst-port 22 out
$cmd 02800 allow tcp from any to me dst-port 6667 in
$cmd 02900 allow tcp from any to me dst-port 6667 out
$cmd 65000 count ip from any to any
$cmd 65100 deny { tcp or udp } from any to any dst-port 135-139,445 in
$cmd 65200 deny { tcp or udp } from any to any dst-port 1026,1027 in
$cmd 65300 deny { tcp or udp } from any to any dst-port 1433,1434 in
$cmd 65400 deny ip from any to 255.255.255.255
$cmd 65500 deny ip from any to 224.0.0.0/24 in
$cmd 65500 deny udp from any to any dst-port 520 in
$cmd 65500 deny tcp from any 80,443 to any dst-port 1024-65535 in
$cmd 65500 deny log logamount 500 ip from any to any
$cmd 65535 deny ip from any to any
/usr/local/etc/ip-allow.txt:

Code:
37.209.128.0/19
78.30.64.0/18
84.39.160.0/20
93.154.128.0/17
151.248.32.0/20
185.4.212.0/22
193.41.112.0/23
46.148.0.0/20
83.242.64.0/19
87.99.96.0/19
93.175.64.0/19
193.106.84.0/22
Thank you in advance for dedicated time to help me find the correct solution.
 
OP
C

cheslavic

New Member


Messages: 8

Thank you SirDice, but I have second question. Why IPFW see this rule:
Code:
$cmd 65535 deny ip from any to any
as invalid
Code:
ipfw: getsockopt(IP_FW_XADD): Invalid argument
.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,918
Messages: 33,312

Code:
     A ruleset always includes a default rule (numbered 65535) which cannot be
     modified or deleted, and matches all packets.
ipfw(8).
 
Top