Date: Sat, 19 Aug 2000 23:37:03 -0700 (PDT) From: Steve Lewis <nepolon@systray.com> To: Mike Meyer <mwm@mired.org> Cc: Bill McMilleon <billmcmilleon@home.com>, questions@FreeBSD.ORG Subject: Re: hardening my nat/firewall rules Message-ID: <Pine.BSF.4.05.10008192333490.717-100000@greg.ad9.com> In-Reply-To: <14751.2479.923607.828576@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Aug 2000, Mike Meyer wrote: > > # I didn't know how to proceed here, but this works for now > > add allow ip from any to any > > No. Never. The safe behavior is to deny everything you don't > specifically allow, not to allow everything you don't specifically > deny. > > Use "add deny log ip from any to any" as the last rule. This turns off > everything else, and logs what happened. Check the logs regularly. If > something doesn't work, check the logs to see what's being blocked, > and then enable that. while defaulting to deny is safer, that doesn't make any sense to just replace his rule without forethought because at no point does he allow/pass any packets IIRC... he always skips to the divert. Now he has to add rules to allow any packets which were skiped before... THEN he can add the default deny rule. am I missing anything? --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10008192333490.717-100000>