Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Nov 2000 11:45:29 -0500 (EST)
From:      Chris BeHanna <behanna@zbzoom.net>
To:        FreeBSD-Stable <stable@freebsd.org>
Subject:   Re: Strange latency? Was: 4.1.1-Stable 
Message-ID:  <Pine.BSF.4.21.0011061136160.39924-100000@topperwein.dyndns.org>
In-Reply-To: <Pine.BSF.4.21.0011050328460.235-100000@oT.o8.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 5 Nov 2000, Maarten van Schie wrote:

> Hmmm.. I have been playing around with IPFILTER but didn't apply anything.
> The docs tell IPFILTER accepts anything unless specified otherwise, that
> implied to me that when and if the IPFILTER options are compiled into
> kernel you won't notice they are there.. (but obviously they do show?)

    Does IPFILTER allow you to flip the default to deny?  I use ipfw,
and am therefore not that familiar with IPFILTER.  Having just gone
through the exercise of setting up a home LAN this weekend, I'll tell
you this much:  your "prevent others' RFC 1918 nets from leaking in to
my net" rules should precede your NAT rule, and then should be
followed by your "prevent my RFC 1918 nets from leaking out to the
world" rule.  You also need to pass packets to and from port 53 to
allow DNS queries to go out (and their responses to come back).  That
pass rule can follow your "prevent my RFC 1918 nets from leaking out"
rule.

    Summary:

        block others' RFC 1918 traffic from coming in
        do NAT
        block my RFC 1918 traffic from leaking out
        other rules as needed--should include blocking your X traffic
            from leaking out, and allowing traffic on ports 22 and 25
        last rule--pass all or deny all per your preference (and per
            what works in your environment)

I'm no firewall expert by any means (one of the reasons I run FreeBSD
is to learn this stuff--I'm a frustrated sysadmin at heart), but this
should be helpful.

(Question:  do people post their firewall configs on -security for
review?  Seems that might be a pretty useful thing, although it might
bloat list traffic quite a bit.)

--
Chris BeHanna
Software Engineer (at yourfit.com)
behanna@zbzoom.net




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0011061136160.39924-100000>