From owner-freebsd-hackers Thu Jan 16 15:47:14 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6464E37B482 for ; Thu, 16 Jan 2003 15:47:12 -0800 (PST) Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D89743EB2 for ; Thu, 16 Jan 2003 15:47:11 -0800 (PST) (envelope-from nate@yogotech.com) Received: from emerger.yogotech.com (emerger.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id QAA01155; Thu, 16 Jan 2003 16:47:09 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by emerger.yogotech.com (8.12.6/8.12.6) id h0GNl97p069578; Thu, 16 Jan 2003 16:47:09 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15911.17533.490764.478803@emerger.yogotech.com> Date: Thu, 16 Jan 2003 16:47:09 -0700 To: "."@babolo.ru Cc: Nate Williams , freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <200301162344.h0GNiIZk002530@aaz.links.ru> References: <15911.15011.409213.712266@emerger.yogotech.com> <200301162344.h0GNiIZk002530@aaz.links.ru> X-Mailer: VM 7.07 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > Try this simple ruleset: > > > > > > possible deny log tcp from any to any setup tcpoptions !mss > > > > > > ipfw add allow ip from any to any out > > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} > > > ipfw add deny log ip from any to any > > > > I'd limit these to the outside interface, for performance rules. > > > > # Whatever the interface is... > > outif="fxp0" > > ipfw add allow ip from any to any out via ${outif} > > ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif} > > ipfw add deny log ip from any to any via ${outif} > > > > etc... > > Your above ruleset seems to be correct ... if add > some rule for outcoming traffic. > I was too fast and keep in mind only incoming traffic. > > Effectivity depends on number of interfaces. > If I remember right, one external and one internal. > If such, the ruleset without interfaces defined > for allow rules is not worse then without interfaces IMHO. Not true. The packets still pass through 'both' interfaces, and as such the number of rules it must traverse is doubled (once for the internal, one for the external). Halving the # of ipfw rules is an easy way to decrease the load on a CPU. :) For most people, it makes little difference, but the user in question has a firewall that's overloaded, so 2x decrease in the # of rules might make the difference, since the 'load' is caused by packets that shouldn't be getting through.. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message