From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 09:23:13 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1AD9616A400 for ; Mon, 26 Feb 2007 09:23:13 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from wmail.teledomenet.gr (wmail.teledomenet.gr [213.142.128.16]) by mx1.freebsd.org (Postfix) with ESMTP id 96DEC13C467 for ; Mon, 26 Feb 2007 09:23:12 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from iris (unknown [192.168.1.71]) by wmail.teledomenet.gr (Postfix) with ESMTP id 6EFEA1CA744; Mon, 26 Feb 2007 11:03:42 +0200 (EET) From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Mon, 26 Feb 2007 11:25:16 +0200 User-Agent: KMail/1.9.1 References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> In-Reply-To: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200702261125.16649.nvass@teledomenet.gr> Cc: Curby Subject: Re: ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 09:23:13 -0000 On Sunday 25 February 2007 13:33, Curby wrote: > I'm using IPFW2 on a Mac, but hopefully these questions are general > enough for this list. > > First, is there any reason not to prefer "from any to any" over "from > any to me" when adding rules to allow access to local services? Some > ipfw configurations I've found use "from any to any," which doesn't > seem bad except that it's unnecessarily general. > Firewalls also protect networks and not just single computers. These rules are quite generic. A "deny ip from any to any" would be a good default for a firewall and so it is by default: from ipfw man: An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action asso- ciated with the default rule can be either deny or allow depending on how the kernel is configured. Most ready-to-use rulesets will have such generalizations. It's not much of a difference, you can't say they are wrong and since you know exactly what you want to achieve, it's up to you to change them to fit perfectly your situation... > Also, there's a verrevpath option but Apple's default ruleset still > uses the following: > > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in > deny log ip from 224.0.0.0/3 to any in > deny log tcp from any to 224.0.0.0/3 in > > Is it correct that verrevpath should make these redundant/obsolete? > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in I don't know about Mac but on FreeBSD they are redundant anyway. The TCP/IP stack denies packets from/to 127/8 coming from a wire, and it also denies sending packets to/from 127/8 down to a wire. > deny log ip from 224.0.0.0/3 to any in A 224/4 source address is just not valid. The rest (240/4) is reserved for future use. > deny log tcp from any to 224.0.0.0/3 in Also, it's not possible to multicast TCP(224/4). Since 240/4 is reserved for future I would say they are invalid too. So, these rules protect weak TCP/IP stacks. They are filtering what is already invalid. > It'd be nice to have one rule instead of 4, but I'm wondering why > Apple isn't using its own supported features. Thanks! I would feel safe without such firewall rules on a personal FreeBSD box. Also if you don't feel safe, remember that ipfw comes with a "deny ip from any to any" rule by default. HTH, Nikos