Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Jan 2000 21:00:29 -0800 (PST)
From:      "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
To:        cjc@cc942873-a.ewndsr1.nj.home.com (Crist J. Clark)
Cc:        jwyatt@rwsystems.net (James Wyatt), oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: New Firewall
Message-ID:  <200001200500.VAA53835@gndrsh.dnsmgr.net>
In-Reply-To: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Jan 19, 2000 11:48:27 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote:
> > > On Tue, 18 Jan 2000, Omachonu Ogali wrote:
> > > > The following rules can help if you are going to be running SMTP, HTTP,
> > > > POP3, and HTTPS, delete what you don't need.
> > > 	[ ... ]
> > > > # -- Deny setup of other incoming connections
> > > > ipfw add deny tcp from any to any setup
> > > > 
> > > > # -- Deny other incoming IP packets.
> > > > ipfw add deny ip from any to any
> > > 
> > > These rules are duplicate, so you can drop the first one. The last rule is
> > > commonly the default in /etc/rc.firewall as well. That aside, I might keep
> > > the first one and change it to '... deny log ...", thus logging connection
> > > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf
> > > is all about... - Jy@

I missed this the first time around.  log_in_vain will not always do what
a log deny would do on this rule.  log_in_vain will only catch connections
to the router/host, not packets passing through the router if it is a
real firewall/forwarding engine.

> > 
> > These rules are not equivelent, ip != tcp, and setup != null.  The first
> > rule is _VERY_ important.  The second can be eliminated, see other email
> > from me on missing ``setup'' on all the other rules...
> 
> Huh?
> 
> While it's true the rules are obviously not "duplicates" or
> "equivalent," the first one is not necessary when these two appear next
> to one another and no logging is done (like it is written).

Then it would have been clearer had you said ``The second rule is
redundant because...''

> Anything
> that would be denied by the first rule would be denied by the
> second, i.e. all packets that match the first rule are a subset of the
> packets that match the second.

Yes, that is true, however I still stand by my statement, and you confirm
that here, that ``these rules are not equivelent''
> 
> Or am I missing something?

Yea, that people often add rules between other rules, especially between
those 2 rules :-).  (For example that is one place that ttcp syn/fin packet
processing can be done.)

-- 
Rod Grimes - KD7CAX @ CN85sl - (RWG25)               rgrimes@gndrsh.dnsmgr.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001200500.VAA53835>