Date: Sun, 5 Feb 2012 04:05:13 -0800 (PST) From: Bill Tillman <btillman99@yahoo.com> To: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: HowTo easy use IPFW Message-ID: <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com> In-Reply-To: <4F2E2C97.7000400@freebsd.org> References: <67410574.20120202113314@yandex.ru> <4F2E274F.6000601@freebsd.org> <4F2E2C97.7000400@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
=0A=0A=0AFrom: Julian Elischer <julian@freebsd.org>=0ATo: =D0=9A=D0=BE=D0= =BD=D1=8C=D0=BA=D0=BE=D0=B2 =D0=95=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9 <kes= -kes@yandex.ru> =0ACc: freebsd-net@freebsd.org; freebsd-questions@freebsd.o= rg =0ASent: Sunday, February 5, 2012 2:15 AM=0ASubject: Re: HowTo easy use = IPFW=0A=0AOn 2/4/12 10:53 PM, Julian Elischer wrote:=0A> On 2/2/12 1:33 AM,= =D0=9A=D0=BE=D0=BD=D1=8C=D0=BA=D0=BE=D0=B2 =D0=95=D0=B2=D0=B3=D0=B5=D0=BD= =D0=B8=D0=B9 wrote:=0A>> this is the mine script which helps me keep my fir= ewall very clean and safe.=0A>> =0A>> It is easy to understand even if you = have a thousands ruBTWles, I think =3D)=0A>> =0A>> please comment.=0A>> =0A= >> PS. If anybody may, please put into ports tree. thank you.=0A> =0A> it w= ould probably be get more response if it was in a file format we had heard = of.. like tar..=0A> =0A> WTF is a ".rar"=C2=A0 file?=0ABTW the=C2=A0 "stuff= it" expander on a Mac seems to be able to handle it..=0A=0AI can see that t= his would allow you to manage very complex rule sets while keeping errors u= nder control.=0A=0AI find the syntax hard to follow however=0AI guess that = comes from it being a relatively simple perl script doing the work.=0A=0Ait= would be nice to get rid of the line numbers entirely in the specification= s=0Aand allow the program to completely specify them using symbolic definit= ions instead.=0A=0A=0A=0A> =0A>> =0A>> ____________________________________= ___________=0A>> freebsd-net@freebsd.org mailing list=0A>> http://lists.fre= ebsd.org/mailman/listinfo/freebsd-net=0A>> To unsubscribe, send any mail to= "freebsd-net-unsubscribe@freebsd.org"=0A> =0A> ___________________________= ____________________=0A> freebsd-net@freebsd.org mailing list=0A> http://li= sts.freebsd.org/mailman/listinfo/freebsd-net=0A> To unsubscribe, send any m= ail to "freebsd-net-unsubscribe@freebsd.org"=0A> =0A> =0A=0A_______________= ________________________________=0Afreebsd-questions@freebsd.org mailing li= st=0Ahttp://lists.freebsd.org/mailman/listinfo/freebsd-questions=0ATo unsub= scribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A= =0A*.rar files have been aroung a long time. They are created by a program = call Winrar. I never understood the need for this because every since M$ st= arted including support for zip files built right into Windows Explorer the= re's no need for additional compression utility. There are some studies whi= ch show Winrar is a little more efficient with it's compression but with to= day's 2 TB hard drive prices, disk space is not such a premium anymore. Fre= eBSD actually has a port for it /"usr/ports/archivers/rar". I have found th= at this program is mostly used by hackers on the bittorent sites who steal = and distribute copyrighted software and transmit trojans and viruses so it'= s been my habbit to avoid rar files. If someone I trust sends it I will ope= n it but I don't plan on opening up this guy's ipfw rule set for that very = reason. The other reason is that any rule set with 1,000 lines in it has go= t to be over kill. The simplest advice I could offer here is this:=0A=0AThe= only truly safe firewall ruleset consists of one rule and that is:=0A=0A= =C2=A0deny all from any to any=0A=0AIf you must have Internet access, and w= e all do then the next simplest rule set would be:=0A=0ABuild your kernel t= o have IPFW deny all traffic by default=0AAllow only the ports you deem nec= essary for your needs=0ADeny all other traffic=0A=0AAfter you've examined y= our log files for a few weeks, turn off logging because it's usually just a= bunch or crap from IP addresses in China, Amsterdam, or maybe an odd one h= ere and there coming from another source, trying to hack into your computer= . I have found over many years that it doesn't pay anything to know about a= ll the attempted attacks. It only pays to stop them cold and the above simp= le rule set will do just that.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1328443513.34131.YahooMailNeo>