From owner-freebsd-stable Sat Jan 12 17:31:48 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id B3B9637B400 for ; Sat, 12 Jan 2002 17:31:29 -0800 (PST) Received: by mail1.zer0.org (Postfix, from userid 1001) id 90CEB239A05; Sat, 12 Jan 2002 17:31:29 -0800 (PST) Date: Sat, 12 Jan 2002 17:31:29 -0800 From: Gregory Sutter To: stable@FreeBSD.ORG Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <20020113013129.GC5234@klapaucius.zer0.org> References: <20020112123054.A20486@localhost> <15424.33362.685365.782853@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qjNfmADvan18RZcF" Content-Disposition: inline In-Reply-To: <15424.33362.685365.782853@caddis.yogotech.com> User-Agent: Mutt/1.3.25i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --qjNfmADvan18RZcF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2002-01-12 11:37 -0700, Nate Williams wrote: > > > I have setup a dynamic firewall for my personal computer with such ru= les > > >=20 > > > ipfw add check-state > > > ipfw add deny tcp from any to any established >=20 > This rule doesn't do a heck of a lot, unless you have by default an > 'open' setup. A better idea may be to add the 'log' keyword to this rule, so you can see if someone is passing packets with fake 'established' flags. Then, of course, deny all other unknown packets later. =20 > # Allow me to make UDP connections > ipfw add check-state > ipfw add pass udp from me to any keep-state out This check-state rule is superflous, since the state will be checked=20 at the keep-state rule if no check-state rule is present. Does anyone know of a place where one can look at a number of=20 firewall rulesets? I'm working on improving mine and would like to see the neat things people have come up with. Greg --=20 Gregory S. Sutter The process of scientific discovery mailto:gsutter@zer0.org is, in effect, a continual flight http://www.zer0.org/~gsutter/ from wonder. --Albert Einstein hkp://wwwkeys.pgp.net/0x845DFEDD --qjNfmADvan18RZcF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE8QONxIBUx1YRd/t0RAqgRAJ98XEIZq+PKsNRj8wUuqBGtXy0lhwCfblB/ Kjryfk1mxCk2ZFvW5fVlOgo= =8p7a -----END PGP SIGNATURE----- --qjNfmADvan18RZcF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message