From owner-freebsd-net@FreeBSD.ORG Mon Jun 2 09:01:39 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6E0437B401 for ; Mon, 2 Jun 2003 09:01:39 -0700 (PDT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2023743F3F for ; Mon, 2 Jun 2003 09:01:39 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([129.44.60.214]) by out001.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030602160138.ZRHB12592.out001.verizon.net@mac.com> for ; Mon, 2 Jun 2003 11:01:38 -0500 Message-ID: <3EDB74E8.8020406@mac.com> Date: Mon, 02 Jun 2003 12:01:44 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b) Gecko/20030507 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-net@freebsd.org References: <001f01c32831$296b9210$812a40c1@PETEX31><3EDA498D.3000307@mac.com> <008f01c32875$c210c730$812a40c1@PETEX31> <3EDA5A7F.6060204@mac.com> <00d701c328d3$54612910$812a40c1@PETEX31> In-Reply-To: <00d701c328d3$54612910$812a40c1@PETEX31> X-Enigmail-Version: 0.75.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [129.44.60.214] at Mon, 2 Jun 2003 11:01:38 -0500 Subject: Re: ipfw and hostnames X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 16:01:40 -0000 Petri Helenius wrote: [ ... ] > Thatīs an another defect in ipfw client utility, it stops processing rules if > it fails to lookup something. There should at least be a switch to allow > it to continue and ignore the lines it cannot do. If you really want to use names instead of IP addresses, try somthing like the following from /etc/rc.conf: #firewall_type='/etc/MY_firewall' #firewall_flags='-p /usr/bin/cpp' ...and /etc/MY_firewall: #### # set these to your inside interface network and netmask and ip #define IIF sis0 #define INET 192.168.1.0/24 #define IIP 192.168.1.2 #define OIF fxp0 #define ONET xxx #define OIP xxx #define LOCALHOST 127.0.0.1 #define HOST1 1.2.3.4 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 #### # Bandwidth limitation add 10 pipe 11 tcp from any to any in via IIF add pipe 11 udp from any to any in via IIF add pipe 11 ip from any to any in via IIF pipe 11 config queue 60 add pipe 12 tcp from any to any out via IIF add pipe 12 udp from any to any out via IIF add pipe 12 ip from any to any out via IIF pipe 12 config queue 60 # add rules here add 65000 allow ip from any to any > And in case you were wondering, I donīt believe in perimeter security, > so we run packet filters on all machines, not just on something some people > call the magic-security-device-on-the-border alias "firewall". It's certainly true that good security consists of more than just a magic box called a firewall. If you configure your hosts securely so that they are safe even without a "packet filtering router", you'll be doing much better than average. That being said, saying "I don't believe in perimeter security" is akin to saying "I don't see a difference between a network and a group of hosts". -- -Chuck