Date: Thu, 16 Jan 2003 14:17:17 -0800 (PST) From: Matthew Dillon <dillon@apollo.backplane.com> To: Josh Brooks <user@mail.econolodgetulsa.com>, freebsd-hackers@FreeBSD.ORG Cc: Nate Williams <nate@yogotech.com> Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <200301162217.h0GMHHqK024403@apollo.backplane.com> References: <15911.7774.98861.58086@emerger.yogotech.com> <20030116132958.H38599-100000@mail.econolodgetulsa.com> <15911.10871.858477.333335@emerger.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
The 'firewall' manual page is a must-read.
http://www.freebsd.org/cgi/man.cgi?query=firewall&apropos=0&sektion=0&manpath=FreeBSD+4.7-stable&format=html
I recommend that you first construct your firewall without worrying
too much about optimizing it. Let it run a while, then use
'ipfw -v list' to see which rules are being triggered. Then, based
on that information, optimize your ruleset. As long as you are careful
to maintain the any sensitive rule orderings you should be able to
construct an efficient ruleset (for example, anti-spoofing rules have
to come before anything else).
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301162217.h0GMHHqK024403>