From owner-freebsd-net@FreeBSD.ORG Sun Feb 5 12:18:17 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84115106566B for ; Sun, 5 Feb 2012 12:18:17 +0000 (UTC) (envelope-from btillman99@yahoo.com) Received: from nm36-vm2.bullet.mail.ne1.yahoo.com (nm36-vm2.bullet.mail.ne1.yahoo.com [98.138.229.114]) by mx1.freebsd.org (Postfix) with SMTP id 4334B8FC0A for ; Sun, 5 Feb 2012 12:18:17 +0000 (UTC) Received: from [98.138.90.51] by nm36.bullet.mail.ne1.yahoo.com with NNFMP; 05 Feb 2012 12:05:14 -0000 Received: from [98.138.89.246] by tm4.bullet.mail.ne1.yahoo.com with NNFMP; 05 Feb 2012 12:05:14 -0000 Received: from [127.0.0.1] by omp1060.mail.ne1.yahoo.com with NNFMP; 05 Feb 2012 12:05:14 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 307951.26888.bm@omp1060.mail.ne1.yahoo.com Received: (qmail 42442 invoked by uid 60001); 5 Feb 2012 12:05:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1328443513; bh=5O0Z+BW/bT6oDsPGN3I4vK5TAYSWn1pGrCW3mJmaSQs=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=j77ErpiQzDghgDB5RDzcnysVStCaFUMwkYjw4uiMHlyuwyOno/U+L4m/7U279dDZvLUPVaB4PvkFk+UtUeg/gooY9tjrnRNRWeYKTk4t8tcbfflp+pyRW5jj14d0Ww3n/gl/JzOpRt2msvf7pePM3pZXEKAOv6Q1FxrjXSm9oBk= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=0dAz7fjbMLZ2GS5vyTdKghxer7NahS4qqb3nrA5ZVBQz4bfARdch0d5VuOEOsZTpx3BSOuYaj13DEcNbxBARiRfzNcebwfBuNDMCuO3VyoD6p1r8p5EdJr4PMuSu8jdcmJ+Ngn2GzhtiZBdgIkPwXDur5XeQBKAtD5zSERgTEGo=; X-YMail-OSG: c9TAR0IVM1kRXHXqL43VzvX0XHDJ8ayr2qCzwUVDFekiL67 p6IYJfXdV62JpBbhTS6FaZZ7.QXLG9Wrc95anVvwp45ni3T1f3Urn9kL2C.m Sw1LysW6smnP6GmoMSG3s.j3QKQ.5NXfwZL7K4HmiQTT81EBrBdkMwbUCpOG mn4UUKWW8qyxgukiaBVdhjrvMBAE0waod9kBXu1sWl5MgsZ7WX6pMvy8d3N4 MuY_ie_N3zzSEDuFFvIKUJl2NhdM0TlC3ewGzCU7UrH2GnIYACkbzSC.m7cP SkkKTmUZk8ftDR4096BORC.TKLbAWtlASJmCqRxIy8eXzKA3UWkLtlG72_9P zaQYJuZUZtEY5amUFahwPLJUDCklCNvd7Br.gzaMq6RSYXoDc7zNgtbFCmZz S23tMFKb2pq4LjiQ7JJgwB0Ovlqs7Pnr2_3iR5SQg8JKRH0EBJ8knGRjuPEt lUx6Ql23urMBVz8QEdQeryQ-- Received: from [98.203.44.66] by web36505.mail.mud.yahoo.com via HTTP; Sun, 05 Feb 2012 04:05:13 PST X-Mailer: YahooMailWebService/0.8.116.331537 References: <67410574.20120202113314@yandex.ru> <4F2E274F.6000601@freebsd.org> <4F2E2C97.7000400@freebsd.org> Message-ID: <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com> Date: Sun, 5 Feb 2012 04:05:13 -0800 (PST) From: Bill Tillman To: "freebsd-net@freebsd.org" In-Reply-To: <4F2E2C97.7000400@freebsd.org> MIME-Version: 1.0 X-Mailman-Approved-At: Sun, 05 Feb 2012 12:49:16 +0000 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: HowTo easy use IPFW X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Bill Tillman List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Feb 2012 12:18:17 -0000 =0A=0A=0AFrom: Julian Elischer =0ATo: =D0=9A=D0=BE=D0= =BD=D1=8C=D0=BA=D0=BE=D0=B2 =D0=95=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9 =0ACc: freebsd-net@freebsd.org; freebsd-questions@freebsd.o= rg =0ASent: Sunday, February 5, 2012 2:15 AM=0ASubject: Re: HowTo easy use = IPFW=0A=0AOn 2/4/12 10:53 PM, Julian Elischer wrote:=0A> On 2/2/12 1:33 AM,= =D0=9A=D0=BE=D0=BD=D1=8C=D0=BA=D0=BE=D0=B2 =D0=95=D0=B2=D0=B3=D0=B5=D0=BD= =D0=B8=D0=B9 wrote:=0A>> this is the mine script which helps me keep my fir= ewall very clean and safe.=0A>> =0A>> It is easy to understand even if you = have a thousands ruBTWles, I think =3D)=0A>> =0A>> please comment.=0A>> =0A= >> PS. If anybody may, please put into ports tree. thank you.=0A> =0A> it w= ould probably be get more response if it was in a file format we had heard = of.. like tar..=0A> =0A> WTF is a ".rar"=C2=A0 file?=0ABTW the=C2=A0 "stuff= it" expander on a Mac seems to be able to handle it..=0A=0AI can see that t= his would allow you to manage very complex rule sets while keeping errors u= nder control.=0A=0AI find the syntax hard to follow however=0AI guess that = comes from it being a relatively simple perl script doing the work.=0A=0Ait= would be nice to get rid of the line numbers entirely in the specification= s=0Aand allow the program to completely specify them using symbolic definit= ions instead.=0A=0A=0A=0A> =0A>> =0A>> ____________________________________= ___________=0A>> freebsd-net@freebsd.org mailing list=0A>> http://lists.fre= ebsd.org/mailman/listinfo/freebsd-net=0A>> To unsubscribe, send any mail to= "freebsd-net-unsubscribe@freebsd.org"=0A> =0A> ___________________________= ____________________=0A> freebsd-net@freebsd.org mailing list=0A> http://li= sts.freebsd.org/mailman/listinfo/freebsd-net=0A> To unsubscribe, send any m= ail to "freebsd-net-unsubscribe@freebsd.org"=0A> =0A> =0A=0A_______________= ________________________________=0Afreebsd-questions@freebsd.org mailing li= st=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-questions=0ATo unsub= scribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A= =0A*.rar files have been aroung a long time. They are created by a program = call Winrar. I never understood the need for this because every since M$ st= arted including support for zip files built right into Windows Explorer the= re's no need for additional compression utility. There are some studies whi= ch show Winrar is a little more efficient with it's compression but with to= day's 2 TB hard drive prices, disk space is not such a premium anymore. Fre= eBSD actually has a port for it /"usr/ports/archivers/rar". I have found th= at this program is mostly used by hackers on the bittorent sites who steal = and distribute copyrighted software and transmit trojans and viruses so it'= s been my habbit to avoid rar files. If someone I trust sends it I will ope= n it but I don't plan on opening up this guy's ipfw rule set for that very = reason. The other reason is that any rule set with 1,000 lines in it has go= t to be over kill. The simplest advice I could offer here is this:=0A=0AThe= only truly safe firewall ruleset consists of one rule and that is:=0A=0A= =C2=A0deny all from any to any=0A=0AIf you must have Internet access, and w= e all do then the next simplest rule set would be:=0A=0ABuild your kernel t= o have IPFW deny all traffic by default=0AAllow only the ports you deem nec= essary for your needs=0ADeny all other traffic=0A=0AAfter you've examined y= our log files for a few weeks, turn off logging because it's usually just a= bunch or crap from IP addresses in China, Amsterdam, or maybe an odd one h= ere and there coming from another source, trying to hack into your computer= . I have found over many years that it doesn't pay anything to know about a= ll the attempted attacks. It only pays to stop them cold and the above simp= le rule set will do just that.