From owner-freebsd-net@FreeBSD.ORG  Sun Feb  5 18:47:02 2012
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 34ADE106566C
	for <freebsd-net@freebsd.org>; Sun,  5 Feb 2012 18:47:02 +0000 (UTC)
	(envelope-from lists@eitanadler.com)
Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com
	[209.85.215.182])
	by mx1.freebsd.org (Postfix) with ESMTP id C01FC8FC0A
	for <freebsd-net@freebsd.org>; Sun,  5 Feb 2012 18:47:01 +0000 (UTC)
Received: by eaan10 with SMTP id n10so2611566eaa.13
	for <freebsd-net@freebsd.org>; Sun, 05 Feb 2012 10:47:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=eitanadler.com; s=0xdeadbeef;
	h=mime-version:in-reply-to:references:from:date:message-id:subject:to
	:cc:content-type:content-transfer-encoding;
	bh=BHE2V4GK77kI/6Uxt7wMCDODJEN0oT7uKkFI9qk1mzQ=;
	b=G7TPHewGCcgZDcIC2nEOUPrxbo/DZidBxYWRcIzt6qsi6uY3Pk2V5D0HUb9nks6lqX
	nAw3ABUAGwLuFBhxqHcyX+lpG2d9Xn11pbznV+T2HvkLaO4T4L0VUEtjTniF6IWQhg+X
	t3wikpZxmdXmrFajCB+ItfrzuUGWxLZOYz3cg=
Received: by 10.213.16.199 with SMTP id p7mr2345674eba.141.1328465825233; Sun,
	05 Feb 2012 10:17:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.14.28.1 with HTTP; Sun, 5 Feb 2012 10:16:35 -0800 (PST)
In-Reply-To: <1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com>
References: <67410574.20120202113314@yandex.ru> <4F2E274F.6000601@freebsd.org>
	<4F2E2C97.7000400@freebsd.org>
	<1328443513.34131.YahooMailNeo@web36505.mail.mud.yahoo.com>
From: Eitan Adler <lists@eitanadler.com>
Date: Sun, 5 Feb 2012 13:16:35 -0500
Message-ID: <CAF6rxgnni93wChmZME-_4DxaCiBt+dsvyVd3h2V1L=xpS=+Zog@mail.gmail.com>
To: Bill Tillman <btillman99@yahoo.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>
Subject: Re: HowTo easy use IPFW
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Feb 2012 18:47:02 -0000

On Sun, Feb 5, 2012 at 7:05 AM, Bill Tillman <btillman99@yahoo.com> wrote:
> The only truly safe firewall ruleset consists of one rule and that is:
>
> =C2=A0deny all from any to any

This ruleset is potentially a denial of service attack if the system
is intended to do certain useful things. You can't talk about "only
truly safe firewall ruleset" without also talking about your threat
model (and intended functionality).

--=20
Eitan Adler