From owner-freebsd-questions Thu Oct 24 23:39:12 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03F1537B404 for ; Thu, 24 Oct 2002 23:39:11 -0700 (PDT) Received: from lightning.adam.com.au (lightning.adam.com.au [203.2.124.20]) by mx1.FreeBSD.org (Postfix) with SMTP id A23A143E6E for ; Thu, 24 Oct 2002 23:39:09 -0700 (PDT) (envelope-from lloy0076@adam.com.au) Received: (qmail 2138 invoked from network); 25 Oct 2002 06:39:07 -0000 Received: from 202-6-128-143.ip.adam.com.au (HELO linux.david.net.au) (202.6.128.143) by eden.adam.com.au with SMTP; 25 Oct 2002 06:39:07 -0000 Date: Fri, 25 Oct 2002 16:24:40 +0930 From: David Lloyd To: Bryan Cassidy Cc: adamw@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Whats the deal? Message-Id: <20021025162440.796a9f18.lloy0076@adam.com.au> In-Reply-To: <20021025013131.13ddf403.bryanc2000@insightbb.com> References: <20021025005639.507fd4a1.bryanc2000@insightbb.com> <20021025062905.GC70503@vectors.cx> <20021025013131.13ddf403.bryanc2000@insightbb.com> X-Mailer: Sylpheed version 0.8.5 (GTK+ 1.2.9; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Bryan, > option IPFIREWALL_DEFAULT_TO_ACCEPT > > or > option IPFIREWALL_DEFAULT_TO_ACCEPT=?? > > to the kernel? I tend to add a rule that is the equivalent of "accept everything" at 65534 or thereabouts _if_ and _only if_ I really want a firewall of this type. The reason why firewalls tend to default to DENY is that it's easier to ALLOW stuff you want rather than remember what STUFF you don't want. Whilst your users might scream if you accidentally deny ICQ/IRC/something else you shouldn't have denied, they'll be more upset if the system goes down because you forgot to close some insecure port and then lost the system so badly you needed to do a full rebuild... DSL -- The Linux C Programming Lists: * http://lists.linux.org.au/listinfo/linuxcprogramming/ The Linux C++ Programming Lists: * http://lists.linux.org.au/listinfo/tuxcpprogramming/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message