From owner-freebsd-isp  Tue Jan 18  9:27:12 2000
Delivered-To: freebsd-isp@freebsd.org
Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7E548150CF; Tue, 18 Jan 2000 09:27:06 -0800 (PST)
	(envelope-from jwyatt@rwsystems.net)
Received: from bsdie.rwsystems.net([209.197.223.2]) (1344 bytes) by bsdie.rwsystems.net
	via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp
	(sender: <jwyatt@rwsystems.net>) 
	id <m12AcKu-000CC8C@bsdie.rwsystems.net>
	for <freebsd-ipfw@freebsd.org>; Tue, 18 Jan 2000 11:22:32 -0600 (CST)
	(Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7)
Date: Tue, 18 Jan 2000 11:22:31 -0600 (CST)
From: James Wyatt <jwyatt@rwsystems.net>
To: Omachonu Ogali <oogali@intranova.net>
Cc: Brian Gallucci <briang@expnet.net>, isp@freebsd.org,
	freebsd-ipfw@freebsd.org
Subject: Re: New Firewall
In-Reply-To: <Pine.BSF.4.10.10001181116020.131-100000@hydrant.intranova.net>
Message-ID: <Pine.BSF.4.10.10001181118180.42481-100000@bsdie.rwsystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 18 Jan 2000, Omachonu Ogali wrote:
> The following rules can help if you are going to be running SMTP, HTTP,
> POP3, and HTTPS, delete what you don't need.
	[ ... ]
> # -- Deny setup of other incoming connections
> ipfw add deny tcp from any to any setup
> 
> # -- Deny other incoming IP packets.
> ipfw add deny ip from any to any

These rules are duplicate, so you can drop the first one. The last rule is
commonly the default in /etc/rc.firewall as well. That aside, I might keep
the first one and change it to '... deny log ...", thus logging connection
attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf
is all about... - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message