From owner-freebsd-questions Sat Aug 19 23:28: 4 2000 Delivered-To: freebsd-questions@freebsd.org Received: from greg.ad9.com (adsl-64-161-198-140.dsl.snfc21.pacbell.net [64.161.198.140]) by hub.freebsd.org (Postfix) with ESMTP id 5886737B43C for ; Sat, 19 Aug 2000 23:28:02 -0700 (PDT) Received: from adsl-64-161-198-140.dsl.snfc21.pacbell.net (nepolon@adsl-64-161-198-140.dsl.snfc21.pacbell.net [64.161.198.140]) by greg.ad9.com (8.9.1a/8.9.1) with ESMTP id XAA00729; Sat, 19 Aug 2000 23:37:03 -0700 (PDT) Date: Sat, 19 Aug 2000 23:37:03 -0700 (PDT) From: Steve Lewis X-Sender: nepolon@greg.ad9.com To: Mike Meyer Cc: Bill McMilleon , questions@FreeBSD.ORG Subject: Re: hardening my nat/firewall rules In-Reply-To: <14751.2479.923607.828576@guru.mired.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 19 Aug 2000, Mike Meyer wrote: > > # I didn't know how to proceed here, but this works for now > > add allow ip from any to any > > No. Never. The safe behavior is to deny everything you don't > specifically allow, not to allow everything you don't specifically > deny. > > Use "add deny log ip from any to any" as the last rule. This turns off > everything else, and logs what happened. Check the logs regularly. If > something doesn't work, check the logs to see what's being blocked, > and then enable that. while defaulting to deny is safer, that doesn't make any sense to just replace his rule without forethought because at no point does he allow/pass any packets IIRC... he always skips to the divert. Now he has to add rules to allow any packets which were skiped before... THEN he can add the default deny rule. am I missing anything? --Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message