From owner-freebsd-doc@FreeBSD.ORG Thu Apr 20 17:58:19 2006 Return-Path: X-Original-To: freebsd-doc@FreeBSD.org Delivered-To: freebsd-doc@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2473F16A405 for ; Thu, 20 Apr 2006 17:58:19 +0000 (UTC) (envelope-from keramida@FreeBSD.org) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 411DD43D46 for ; Thu, 20 Apr 2006 17:58:17 +0000 (GMT) (envelope-from keramida@FreeBSD.org) Received: from gothmog.pc (aris.bedc.ondsl.gr [62.103.39.226]) (authenticated bits=128) by igloo.linux.gr (8.13.6/8.13.6/Debian-1) with ESMTP id k3KHw8DB020945 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 20 Apr 2006 20:58:09 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.6/8.13.6) with ESMTP id k3KHw3KW002967; Thu, 20 Apr 2006 20:58:03 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Received: (from giorgos@localhost) by gothmog.pc (8.13.6/8.13.6/Submit) id k3KHw3GB002966; Thu, 20 Apr 2006 20:58:03 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Date: Thu, 20 Apr 2006 20:58:03 +0300 From: Giorgos Keramidas To: Brett Proctor Message-ID: <20060420175803.GA2732@gothmog.pc> References: <3e19003d0604140442y29756ff5s3d05ff17a840575b@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3e19003d0604140442y29756ff5s3d05ff17a840575b@mail.gmail.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.721, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.68, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@freebsd.org X-Spam-Status: No Cc: freebsd-doc@FreeBSD.org Subject: Re: 26.6 IPFW: Couple things X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2006 17:58:19 -0000 On 2006-04-14 04:42, Brett Proctor wrote: > First off, let me say thank you to whoever is responsible for writing > all this. Really helpfull stuff. I implemented the NAT-ed statefull > ruleset (the last example) and found a bug I believe. The offending > line: > # Allow out access to my ISP's Domain name server. > # x.x.x.x must be the IP address of your ISP's DNS > # Dup these lines if your ISP has more than one DNS server > # Get the IP addresses from /etc/resolv.conf file > $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state > the TCP part should be UDP I believe. In some previous sections it > seemed it listed both TCP and UDP rules for DNS, but I believe that > DNS only uses TCP. No, DNS uses both UDP and TCP, if necessary. > Also, is this a bit logically inconsistent? (Very last line) > # This is skipto location for outbound stateful rules > $cmd 800 divert natd ip from any to any out via $pif > $cmd 801 allow ip from any to any > > # Everything else is denied by default > # deny and log all packets that fell through to see what they are > $cmd 999 deny log all from any to any > > Isn't it impossible for anything to get past rule 801? Doesn't it > essentially make it a default allow-all policy? If i'm not mistaken > shouldn't rule 999 be moved and changed to 799? Rule 801 should be removed, if you want to make this a deny-by-default firewall. This is an old post, but I only now found the time to read it in detail. I'll check the current version of the Handbook "Firewall" chapter and let you know if these comments still apply. Thanks for the willingless to help us improving the docs :) - Giorgos