Web hosting providers - Table 9.1: Common Netmask Bit Values Netmask Bits
Table 9.1: Common Netmask Bit Values Netmask Bits 255.0.0.0 8 255.255.0.0 16 255.255.255.0 24 255.255.255.128 25 255.255.255.192 26 255.255.255.224 27 255.255.255.240 28 255.255.255.248 29 255.255.255.252 30 We mentioned earlier that ipfwadm implements a small trick that makes adding these sorts of rules easier. This trick is an option called -b, which makes the command a bidirectional rule. The bidirectional flag allows us to collapse our two rules into one as follows: # ipfwadm -F -a accept -P tcp -S 172.16.1.0/24 -D 0/0 80 -b An important refinement Take a closer look at our ruleset. Can you see that there is still one method of attack that someone outside could use to defeat our firewall? Our ruleset allows all datagrams from outside our network with a source port of 80 to pass. This will include those datagrams with the SYN bit set! The SYN bit is what declares a TCP datagram to be a connection request. If a person on the outside had privileged access to a host, they could make a connection through our firewall to any of our hosts, provided they use port 80 at their end. This is not what we intended. Fortunately there is a solution to this problem. The ipfwadm command provides another flag that allows us to build rules that will match datagrams with the SYN bit set. Let’s change our example to include such a rule: # ipfwadm -F -a deny -P tcp -S 0/0 80 -D 172.16.10.0/24 -y # ipfwadm -F -a accept -P tcp -S 172.16.1.0/24 -D 0/0 80 -b The -y flag causes the rule to match only if the SYN flag is set in the datagram. So our new rule says: “Deny any TCP datagrams destined for our network from anywhere with a source port of 80 and the SYN bit set,” or “Deny any connection requests from hosts using port 80.” Why have we placed this special rule before the main rule? IP firewall rules operate so that the first match is the rule that is used. Both rules would match the datagrams we want to stop, so we must be sure to put the deny rule before the accept rule. Listing our rules After we’ve entered our rules, we ask ipfwadm to list them for us using the command: # ipfwadm -F -l This command will list all of the configured forwarding rules. The output should look something like this: # ipfwadm -F -l IP firewall forward rules, default policy: accept type prot source destination ports deny tcp anywhere 172.16.10.0/24 www -> any acc tcp 172.16.1.0/24 anywhere any -> www