From owner-freebsd-questions@FreeBSD.ORG Fri Nov 28 22:29:18 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2735016A4CE for ; Fri, 28 Nov 2003 22:29:18 -0800 (PST) Received: from smtp106.mail.sc5.yahoo.com (smtp106.mail.sc5.yahoo.com [66.163.169.226]) by mx1.FreeBSD.org (Postfix) with SMTP id DC5D743FAF for ; Fri, 28 Nov 2003 22:29:16 -0800 (PST) (envelope-from kaeru@pd.jaring.my) Received: from unknown (HELO ?219.94.80.51?) (khairil?yusof@219.94.80.51 with plain) by smtp-v1.mail.vip.sc5.yahoo.com with SMTP; 29 Nov 2003 06:29:16 -0000 From: Khairil Yusof To: Alex de Kruijff In-Reply-To: <20031128224536.GB815@dds.nl> References: <1070026625.16777.115.camel@wolverine.home.net> <20031128224536.GB815@dds.nl> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-OiLsQzIgPXrzqEXiz2mr" Message-Id: <1070087352.2416.100.camel@wolverine.home.net> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Sat, 29 Nov 2003 14:29:13 +0800 cc: questions@freebsd.org Subject: Re: ipfw pipes + firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Nov 2003 06:29:18 -0000 --=-OiLsQzIgPXrzqEXiz2mr Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, 2003-11-29 at 06:45, Alex de Kruijff wrote: > > 00100 83 11350 pipe 1 ip from any to any out > > 00200 93 11266 pipe 2 ip from any to any in > > 00300 0 0 check-state > > 00400 0 0 deny tcp from any to any established > > 01400 103 14855 allow tcp from any to me dst-port 22 in setup keep-stat= e > > ... more firewall rules which are being matched > I find your 400 rule very strage. Rule 400 souldn't apply because they > are passed by 300 (this one doens't have a counter :( ). I'm following the example given by ipfw(8). Rule 0400 is apparently supposed to block any non dynamic rules. Does rule 300 have a counter? I've followed both ipfw(8) and http://www.freebsd.org/doc/en_US.ISO8859-1/articles/dialup-firewall/rules.h= tml I"m using the example from the article for my pppoe connection at home.=20 > For rule 1400 the dst-port is wronly placed. Port are (or can be) given > after the ip without any marker. I would replace 1400 with: > allow tcp from any to me 22 in > allow tcp from me 22 to any out > No need to have dynamic rules here so place it before 300 This sounds right, it would cut down on overhead of additional dynamic rules. So making public ports rules without dynamic rules is better?=20 Digging in the archives, Matthew Seaman said that dynamic rules should be safer, but I'm not sure if it applies for my case. I'm no security expert, so thanks for the insight. -- FreeBSD 5.2-BETA i386=20 2:24pm up 11:29, 3 users, load averages: 0.22, 0.44, 0.66 --=-OiLsQzIgPXrzqEXiz2mr Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/yDy3DAqnLW/+/X8RAhCCAKDiXS2gGSXZImUdocgaKm7ZzY+fmACfcUot TiwFl71OLeh3aInV3aMXWgw= =sTGk -----END PGP SIGNATURE----- --=-OiLsQzIgPXrzqEXiz2mr--