From owner-freebsd-stable  Sat Jan 12 22:29:45 2002
Delivered-To: freebsd-stable@freebsd.org
Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66])
	by hub.freebsd.org (Postfix) with ESMTP id 9B16437B405
	for <stable@FreeBSD.ORG>; Sat, 12 Jan 2002 22:29:36 -0800 (PST)
Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130])
	by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id XAA19689;
	Sat, 12 Jan 2002 23:29:30 -0700 (MST)
	(envelope-from nate@yogotech.com)
Received: (from nate@localhost)
	by caddis.yogotech.com (8.11.6/8.11.6) id g0D6TP323523;
	Sat, 12 Jan 2002 23:29:25 -0700 (MST)
	(envelope-from nate)
From: Nate Williams <nate@yogotech.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15425.10565.384608.556622@caddis.yogotech.com>
Date: Sat, 12 Jan 2002 23:29:25 -0700
To: Gregory Sutter <gsutter@zer0.org>
Cc: stable@FreeBSD.ORG
Subject: Re: tcp keepalive and dynamic ipfw rules
In-Reply-To: <20020113013129.GC5234@klapaucius.zer0.org>
References: <20020112123054.A20486@localhost>
	<B865C95B.911F%freebsd@damnhippie.dyndns.org>
	<15424.33362.685365.782853@caddis.yogotech.com>
	<20020113013129.GC5234@klapaucius.zer0.org>
X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
Reply-To: nate@yogotech.com (Nate Williams)
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

> > > > I have setup a dynamic firewall for my personal computer with such rules
> > > > 
> > > > ipfw add check-state
> > > > ipfw add deny tcp from any to any established
> > 
> > This rule doesn't do a heck of a lot, unless you have by default an
> > 'open' setup.
> 
> A better idea may be to add the 'log' keyword to this rule, so you can
> see if someone is passing packets with fake 'established' flags.  Then,
> of course, deny all other unknown packets later.
>  
> > # Allow me to make UDP connections
> > ipfw add check-state
> > ipfw add pass udp from me to any keep-state out
> 
> This check-state rule is superflous, since the state will be checked 
> at the keep-state rule if no check-state rule is present.

True, but in my case, there are *lots* of rules in between the two.  I
was giving an example

> Does anyone know of a place where one can look at a number of 
> firewall rulesets?  I'm working on improving mine and would like
> to see the neat things people have come up with.

I try not to give mine out publically.  I know it's security through
obscurity, but what I have blocked and what I don't could be used
against me in some cases.

However, I'm willing to share what I have offline if you'd like.



Nate

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message