# ipfw rule to allow certain range of PCs inside network



## Fors (Mar 14, 2013)

Hello,

My server has public IP address in a 10.0.0.0/8 network. I want to restrict access to me, letting packets from computes with addresses 10.num.num.0 - 10.num.num.255 be checked by other service-specific rules, but denying access for others from 10.0.0.0/8 network.

I'm a bit confused. I can't find suitable IPFW rules for that.

If I write an allow rule for that trusted range and then a deny rule for the whole 10.0.0.0/8, the rest of the rules won't work. For example, rules after dotes _[ ? -- Mod.]_ won't be checked, because the two first rules are triggered:


```
$cmd add allow all from ${trusted_network} to ${ip_out} via ${ifc_out}
$cmd add allow all from ${ip_out} to ${trusted_network} via ${ifc_out}
$cmd add deny all from any to 10.0.0.0/8 via ${ifc_out}
$cmd add deny all from 10.0.0.0/8 to any via ${ifc_out}
............
$cmd add allow all from ${ip_out} to any 53 out via ${ifc_out}
$cmd add allow all from any 53 to ${ip_out} via ${ifc_out}
```

Is there any solution?


----------



## Fors (Mar 14, 2013)

And an important note: my IP is inside that trusted range of hosts.


----------



## Anonymous (Mar 14, 2013)

My suggestion is to move the specific allow rules before the first two general allow rules, and to keep the "catch-all-the-rest" deny rules at the end. As a general rule of thumb, specific rules should come before general rules.

In addition I recommend to use explicit rule sequence numbers instead of relying on ipfw(8)() putting your rules automatically into the right sequence, which can easily be messed-up when experimenting with new rules while forgetting to delete old ones.


----------



## Fors (Mar 14, 2013)

rolfheinrich said:
			
		

> My suggestion is to move the specific allow rules before the first two general allow rules, and to keep the "catch-all-the-rest" deny rules at the end. As a general rule of thumb, specific rules should come before general rules.
> 
> In addition I recommend to use explicit rule sequence numbers instead of relying on ipfw(8)() putting your rules automatically into the right sequence, which can easily be messed-up when experimenting with new rules while forgetting to delete old ones.



So, there can't be any single rule blocking network except some range inside. I tried to put that potential rule in the first positions (or mark it with low rule sequence number). But since it's impossible, good solution is to organize rules in proper sequence. I had to replace _any_ with explicit addresses everywhere :\
But now it seems to be a proper solution. Thank you rolfheinrich!


----------



## qsecofr (Mar 15, 2013)

Not sure if I totally understand the requirement, but had you considered using tables in your ipfw ruleset?  The subset of IP addresses to allow could be read from a file, and inserted into a table.  One allow command can then be executed against all IP addresses in the table, while the deny rule could be applied against the entire network range.


----------

