From owner-freebsd-security@FreeBSD.ORG Sun Mar 23 13:16:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7A44FECD; Sun, 23 Mar 2014 13:16:29 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E7CE08C6; Sun, 23 Mar 2014 13:16:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s2NDGQr2048012; Mon, 24 Mar 2014 00:16:26 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 24 Mar 2014 00:16:26 +1100 (EST) From: Ian Smith To: Julian Elischer Subject: Re: ipfw dynamic rules In-Reply-To: <532E7398.5090607@freebsd.org> Message-ID: <20140324000439.F87212@sola.nimnet.asn.au> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com> <532E723C.2090109@freebsd.org> <532E7398.5090607@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org, RW , ipfw@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 13:16:29 -0000 On Sat, 22 Mar 2014 22:39:36 -0700, Julian Elischer wrote: > reposting with a useful subject line and more comments > > On 3/22/14, 10:33 PM, Julian Elischer wrote: > > > > in ipfw that's up to you.. > > but I usually put the check-state quite early in my rule sets. > > > On 3/22/14, 1:34 AM, Ian Smith wrote: > > Firstly, that's the one page in the handbook (that I know of) that needs > > completely nuking. It contains many factual errors as well as weird > > notions, and will only tend to mislead you; consult ipfw(8) and prosper. > > I'd say refer to the examples in rc.firewall but it too is in disrepair. Firstly, I owe an apology to the doc crew, one of whom contacted me privately to point out that the ipfw page has had quite a massaging lately, and work is ongoing. I'm sorry for not checking again first. > I am working on a new rc.firewall that is much more efficient. > the trouble is that the script to make it do what I want is a bit more > complicated. > I'll put it out for discussion later. maybe tonight. Great. Maybe my failed rc.firewall patch from '11 can still be useful. > as for the handbook pages.. after we see how the new firewall rules work > we can see about rewriting the page. Yes, well it seems there's a newer framework worth hanging it on now. I guess we should drop freebsd-security@ until there's some news? cheers, Ian