From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 05:39:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C62AAA58; Sun, 23 Mar 2014 05:39:44 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9963AFC; Sun, 23 Mar 2014 05:39:44 +0000 (UTC) Received: from julian-mbp3.pixel8networks.com (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.8/8.14.8) with ESMTP id s2N5dhC8002575 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Sat, 22 Mar 2014 22:39:43 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <532E7398.5090607@freebsd.org> Date: Sat, 22 Mar 2014 22:39:36 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: RW , freebsd-security@freebsd.org, ipfw@FreeBSD.org Subject: Re: ipfw dynamic rules References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> In-Reply-To: <532E723C.2090109@freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 05:39:44 -0000 reposting with a useful subject line and more comments On 3/22/14, 10:33 PM, Julian Elischer wrote: > > in ipfw that's up to you.. > but I usually put the check-state quite early in my rule sets. > On 3/22/14, 1:34 AM, Ian Smith wrote: > Firstly, that's the one page in the handbook (that I know of) that needs > completely nuking. It contains many factual errors as well as weird > notions, and will only tend to mislead you; consult ipfw(8) and prosper. > I'd say refer to the examples in rc.firewall but it too is in disrepair. I am working on a new rc.firewall that is much more efficient. the trouble is that the script to make it do what I want is a bit more complicated. I'll put it out for discussion later. maybe tonight. as for the handbook pages.. after we see how the new firewall rules work we can see about rewriting the page.