From owner-freebsd-security  Fri Jul 19 13:37:18 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A4BCC37B400
	for <security@FreeBSD.ORG>; Fri, 19 Jul 2002 13:37:16 -0700 (PDT)
Received: from everlast.whitebird.no (everlast.whitebird.no [217.118.36.94])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DFA2443E58
	for <security@FreeBSD.ORG>; Fri, 19 Jul 2002 13:37:12 -0700 (PDT)
	(envelope-from arvinn@whitebird.no)
Received: from everlast.whitebird.no (localhost.whitebird.no [127.0.0.1])
	by everlast.whitebird.no (Postfix) with SMTP
	id 306D657C3; Fri, 19 Jul 2002 22:42:25 +0200 (CEST)
Received: from 217.118.33.65
        (SquirrelMail authenticated user arvinn)
        by everlast.whitebird.no with HTTP;
        Fri, 19 Jul 2002 22:42:25 +0200 (CEST)
Message-ID: <4210.217.118.33.65.1027111345.squirrel@everlast.whitebird.no>
Date: Fri, 19 Jul 2002 22:42:25 +0200 (CEST)
Subject: Re: ipfw and it's glory...
From: "=?iso-8859-1?Q?Arvinn_L=F8kkebakken?=" <arvinn@whitebird.no>
To: <Mark.Andrews@isc.org>
In-Reply-To: <200207170729.g6H7TtJe081341@drugs.dv.isc.org>
References: Your
        message
        of
        "Wed,
        17
        Jul
        2002
        09:03:49
        +0200."
        <200207170729.g6H7TtJe081341@drugs.dv.isc.org>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
Cc: <bart@dreamflow.nl>, <markd@cogeco.ca>, <security@FreeBSD.ORG>
X-Mailer: SquirrelMail (version 1.2.7)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>> # Allow "local" traffic
>> ipfw add allow all from any to any via lo0
>>
>> # Allow all outgoing trafic
>> ipfw add allow all from any to any out
>
> 	This is a bad idea.  You should only allow out what you
> 	will accept back in.   If you don't you will eventually be
> 	guilty of pounding some poor server because you havn't
> 	allowed the answers to come back.

I can't see why that's a bad idea. ipfw does allow tcp ACK back through
the firewall doesn't it? What do you mean only allow out what will accept
in? The source and destinations ports never have the same port numbers
anyway.

Arvinn



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message