From owner-freebsd-questions@FreeBSD.ORG Sun Feb 25 11:58:15 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4C13116A403 for ; Sun, 25 Feb 2007 11:58:15 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189]) by mx1.freebsd.org (Postfix) with ESMTP id D8DD013C494 for ; Sun, 25 Feb 2007 11:58:14 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: by nf-out-0910.google.com with SMTP id k27so1182459nfc for ; Sun, 25 Feb 2007 03:58:13 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=iXCvon/pm7ALx9cCmFoNZ0ybP81zJZ1oj3QoXVJpOM2WvqMmm/fSXJ1HztiDO9LYm0/CvZ1dJo6x8eDfyp9QD36CE55Ir/qJ7x3iXRJpci943JOmrdWorKqIJjew+RgQX/MviLAgWYpCWt+Av4BnWHWsotrt5dycbMIjg+E35LU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=eGVfEyijaMh/3t0/I2c8k6/Bby70c8IA39YziIEF2s+cNrHcYc7vGHfDbizJYaGcWEJSBzigILq9ISem5as+YWMs6AdSiTCAfmiV896Ugx9UzDg+2h29TEc88LQOpObfyMhlc6tGXerlp8RcU0ixcxuJ5CNhs2HtL9eGsAYIU08= Received: by 10.78.201.2 with SMTP id y2mr344535huf.1172403193954; Sun, 25 Feb 2007 03:33:13 -0800 (PST) Received: by 10.78.40.7 with HTTP; Sun, 25 Feb 2007 03:33:13 -0800 (PST) Message-ID: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> Date: Sun, 25 Feb 2007 04:33:13 -0700 From: Curby To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 11:58:15 -0000 I'm using IPFW2 on a Mac, but hopefully these questions are general enough for this list. First, is there any reason not to prefer "from any to any" over "from any to me" when adding rules to allow access to local services? Some ipfw configurations I've found use "from any to any," which doesn't seem bad except that it's unnecessarily general. Also, there's a verrevpath option but Apple's default ruleset still uses the following: deny log ip from 127.0.0.0/8 to any in deny log ip from any to 127.0.0.0/8 in deny log ip from 224.0.0.0/3 to any in deny log tcp from any to 224.0.0.0/3 in Is it correct that verrevpath should make these redundant/obsolete? It'd be nice to have one rule instead of 4, but I'm wondering why Apple isn't using its own supported features. Thanks!