On Sat, Feb 14, 2015 at 12:04 PM, BPNoC Group <bpnoc.lists@gmail.com> wrote: The thing to note about ipfw, is it only provides you with essentially 5-tuple based access lists based on source and destination, as this functions strictly by looking at packet headers. There's no ipfw rule you can make that will tell ipfw to Allow outgoing port 80 connections, but only if the protocol is HTTP. Don't allow outgoing SMTP or SSH connections over port 80. Often.... for a network with endpoints, almost everything outbound you want to allow will be going out on port 80 or 443, And almost everything outbound you need to reject will also be going out on port 80 or 443. If the syntax is a challenge for you at all, there are tools such as fwbuilder, or PfSense appliance with web GUI that can be used to construct the configuration.. The sticking point with pf, or iptables, or whatever you use should not be the syntax or the command language. But the question of *what* to allow, and how to appropriately structure that choice/requirement of what to allow in order to ensure the applications work correctly and minimize the exposure. This is not strictly a matter of coming up with rules or language syntax, but if done right includes analysis and reconfiguration of applications in order to ensure that legitimate traffic is as predictable and well-understood as possible. For example... Since 80 and 443 are such trouble, you might structure the "allow" by setting up a suitable proxy server on LAN, require all clients to use it, and on the ipfw device it is strictly a "Deny all".
Are we really talking "ipfw add deny udp from any to any 123 not in via $lan" where?
Or are we talking "iptables -A INPUT -s 0/0 -p udp -m udp --dport 123 -j DROP"? -- -JH