Date: Thu, 19 Dec 2002 13:16:42 -0800 From: Gary D Kline <kline@thought.org> To: Rob <listone@deathbeforedecaf.net> Cc: Gary D Kline <kline@thought.org>, FreeBSD Mailing List <freebsd-questions@FreeBSD.ORG> Subject: Re: Are these IPF -> IPFW protocols equivalent? Message-ID: <20021219211642.GA62089@tao.thought.org> In-Reply-To: <3E01B616.7080708@deathbeforedecaf.net> References: <3E01B616.7080708@deathbeforedecaf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 19, 2002 at 10:35:42PM +1030, Rob wrote: > > I've only used ipfw for a little while, but there's a few things I can > suggest here. > > * A good diagnostic for your rules is > > ipfw list > > Run this after adding a list of rules, and it shows you how they were > translated by ipfw. It also shows the default rule (number 65535) > which will be allow any or deny any, depending on your kernel options. > > * You don't need to supply a number after 'add' - the ipfw command will > number them for you. I'm not sure what happens if you give different > rules the same number, but it probably isn't useful. > > * Since you're allowing all out #1 and all in #4, you can combine these > rules as > > add allow tcp from any to any via dc0 keep-state > > with the same effect. > > * Likewise with #2 and #5, they can be combined as > > add allow icmp from any to any via dc0 keep-state > > * Likewise with #7 and #8. This is very helpful, thanks. I didn't know if the in/out rules had to be specified, even if it were redundant... . As a first-cut, i'm testing everything on one of my internal servers... So far, looks promising. --Famous last words:?) > > * The keep-state option allows you set up two-way traffic based on a > one-way rule. I think it's mainly designed for UDP (where there's no > established connection to allow) but it should work for ICMP as well. > > However, since you're already allowing traffic both ways (in & out) it > isn't necessary in this case. > > * If your default rule is deny all, you don't need #3 and #6, because it > will be denied anyway. Makes sense. This was what worked with ipf/ipf.rules; I just ported it. > > * If you give a hostname to ipfw, it will resolve the address when > adding the rule. > > * So you should be able to do the same thing with > > add allow tcp from any to any via dc0 > add allow icmp from any to any via dc0 > add allow ip from localhost to localhost via lo0 > > As I said, I've only been using ipfw for a little while so wiser heads > may contradict some of this.... > > Best of luck :-) > The "hostname" brings up a question (involving sending mail from outside using hidden/private servers). I've been wondering if ipfw will let me do the following: sendmail is configured to send mail from "outside" to jqs@thought.org jqs is my test account on zen.thought.org. Can I configure ipfw on ns1.thought.org to recognize mail from "outside" to jqs@zen.thought.org ??? --Is there any way of testing this rule? Anybody? thanks muchly! gary > -- Gary Kline kline@thought.org www.thought.org Public service Unix To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021219211642.GA62089>