When I had dialup, the standard dialup firewall (http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.html) worked fine. However, on DSL, it does a little too much. The problem I have is, all my traffic comes through the one and only interface, rl0. Instead of differentiating between interfaces, is there a way to substitute IP ranges? I want to allow traffic from 192.168.0.0/255, and filter everything else according the rest of the rules.

So, how would I substitute IP-range for $iif and $oif? Of is there another mechanism? All my reading of TFMs and googling brings stuff over my admittedly empty head.

Oh, thank you for the help! :silly:

What I ended up trying was to exchange this line:

$fwcmd add allow ip from any to any via $iif

With this pair:

$fwcmd add allow ip from any to 192.168.1.0/24
$fwcmd add allow ip from 192.168.1.0/24 to any

because I have no idea of any other way to cover it. So, if anyone bothers to read this and knows how, tell me what I did wrong.

This is your firewall for the rest of the network? If so, is there any way you can add another interface to this box?

No, this is for standalone. I'm not interested in protecting the other machines. All the machines on the network plug into the DSL modem (four ports) which has some kind of minimal firewall I don't trust. Keep in mind, there's a motive here in not protecting the WinXP box: if my wife has trouble with it, that gives me leverage to recommend Open Source. So far, the only other box plugged in on occasion is my FreeBSD laptop.