Date: Sat, 12 Jan 2002 23:29:25 -0700 From: Nate Williams <nate@yogotech.com> To: Gregory Sutter <gsutter@zer0.org> Cc: stable@FreeBSD.ORG Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <15425.10565.384608.556622@caddis.yogotech.com> In-Reply-To: <20020113013129.GC5234@klapaucius.zer0.org> References: <20020112123054.A20486@localhost> <B865C95B.911F%freebsd@damnhippie.dyndns.org> <15424.33362.685365.782853@caddis.yogotech.com> <20020113013129.GC5234@klapaucius.zer0.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > > I have setup a dynamic firewall for my personal computer with such rules > > > > > > > > ipfw add check-state > > > > ipfw add deny tcp from any to any established > > > > This rule doesn't do a heck of a lot, unless you have by default an > > 'open' setup. > > A better idea may be to add the 'log' keyword to this rule, so you can > see if someone is passing packets with fake 'established' flags. Then, > of course, deny all other unknown packets later. > > > # Allow me to make UDP connections > > ipfw add check-state > > ipfw add pass udp from me to any keep-state out > > This check-state rule is superflous, since the state will be checked > at the keep-state rule if no check-state rule is present. True, but in my case, there are *lots* of rules in between the two. I was giving an example > Does anyone know of a place where one can look at a number of > firewall rulesets? I'm working on improving mine and would like > to see the neat things people have come up with. I try not to give mine out publically. I know it's security through obscurity, but what I have blocked and what I don't could be used against me in some cases. However, I'm willing to share what I have offline if you'd like. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15425.10565.384608.556622>