From owner-freebsd-questions Fri Jan 4 18:59:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from smtp-send.myrealbox.com (smtp-send.myrealbox.com [192.108.102.143]) by hub.freebsd.org (Postfix) with ESMTP id 9755C37B445 for ; Fri, 4 Jan 2002 18:59:19 -0800 (PST) Received: from ppp11-167.ath.forthnet.gr Bernie_X@smtp-send.myrealbox.com [213.16.158.167] by smtp-send.myrealbox.com with Novell NIMS $Revision: 2.88 $ on Novell NetWare; Fri, 04 Jan 2002 19:59:15 -0700 Date: Sat, 5 Jan 2002 02:47:13 +0200 (EET) From: Bernie X-X-Sender: root@BLAST To: freebsd-questions@FreeBSD.ORG Subject: ipfw rules ordering -- newcomer Message-ID: <20020105023423.V1201-100000@BLAST> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hello, i've just setup ipfw on my machine and got a question on ordering the rules: i unserstood that rules order matters in the operation of a firewall and first rule that matches stops the search etc. but what about the order on things you want to allow? is it better to have some ordering for speed for example? on my machine, which is used for connecting to the internet (no lan) i got the order as follows: 1. route all through tun0 2. DNS reply allow (*only* reply) 3. all outgoing tcp + udp allow (tcp first setup then establish) 4. allow icmp -- echo-request(8) + echo-reply(0) + traceroute(11) 5. deny + log all others Do you think the above is good ordering? thanks a lot for your help regards, Bernie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message