Date: Wed, 19 Jan 2000 21:00:29 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: cjc@cc942873-a.ewndsr1.nj.home.com (Crist J. Clark) Cc: jwyatt@rwsystems.net (James Wyatt), oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall Message-ID: <200001200500.VAA53835@gndrsh.dnsmgr.net> In-Reply-To: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Jan 19, 2000 11:48:27 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote: > > > On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > > > The following rules can help if you are going to be running SMTP, HTTP, > > > > POP3, and HTTPS, delete what you don't need. > > > [ ... ] > > > > # -- Deny setup of other incoming connections > > > > ipfw add deny tcp from any to any setup > > > > > > > > # -- Deny other incoming IP packets. > > > > ipfw add deny ip from any to any > > > > > > These rules are duplicate, so you can drop the first one. The last rule is > > > commonly the default in /etc/rc.firewall as well. That aside, I might keep > > > the first one and change it to '... deny log ...", thus logging connection > > > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > > > is all about... - Jy@ I missed this the first time around. log_in_vain will not always do what a log deny would do on this rule. log_in_vain will only catch connections to the router/host, not packets passing through the router if it is a real firewall/forwarding engine. > > > > These rules are not equivelent, ip != tcp, and setup != null. The first > > rule is _VERY_ important. The second can be eliminated, see other email > > from me on missing ``setup'' on all the other rules... > > Huh? > > While it's true the rules are obviously not "duplicates" or > "equivalent," the first one is not necessary when these two appear next > to one another and no logging is done (like it is written). Then it would have been clearer had you said ``The second rule is redundant because...'' > Anything > that would be denied by the first rule would be denied by the > second, i.e. all packets that match the first rule are a subset of the > packets that match the second. Yes, that is true, however I still stand by my statement, and you confirm that here, that ``these rules are not equivelent'' > > Or am I missing something? Yea, that people often add rules between other rules, especially between those 2 rules :-). (For example that is one place that ttcp syn/fin packet processing can be done.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001200500.VAA53835>