Date: Thu, 16 Jan 2003 14:17:17 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Josh Brooks <user@mail.econolodgetulsa.com>, freebsd-hackers@FreeBSD.ORG Cc: Nate Williams <nate@yogotech.com> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <200301162217.h0GMHHqK024403@apollo.backplane.com> References: <15911.7774.98861.58086@emerger.yogotech.com> <20030116132958.H38599-100000@mail.econolodgetulsa.com> <15911.10871.858477.333335@emerger.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The 'firewall' manual page is a must-read. http://www.freebsd.org/cgi/man.cgi?query=firewall&apropos=0&sektion=0&manpath=FreeBSD+4.7-stable&format=html I recommend that you first construct your firewall without worrying too much about optimizing it. Let it run a while, then use 'ipfw -v list' to see which rules are being triggered. Then, based on that information, optimize your ruleset. As long as you are careful to maintain the any sensitive rule orderings you should be able to construct an efficient ruleset (for example, anti-spoofing rules have to come before anything else). -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301162217.h0GMHHqK024403>