From owner-freebsd-questions@FreeBSD.ORG Mon Feb 26 15:13:40 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B51916A400 for ; Mon, 26 Feb 2007 15:13:40 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.168]) by mx1.freebsd.org (Postfix) with ESMTP id 2DC2B13C46B for ; Mon, 26 Feb 2007 15:13:39 +0000 (UTC) (envelope-from curby.public@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so742140ugh for ; Mon, 26 Feb 2007 07:13:39 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ScNv52zuih1teuGf86waefI3T0APUOFh2g32y7dkfQr8Z5OSMCHbhc94Fr6szLIQz2Vo93gARdR/rZSiZI1L1ckpSCXXhoc1Ii2E86zLW45S2RlZgbh98pLuVAGMyfc/rBsL8S26xRIyNDuZwfV5y5mMPG6j0SS22IBEMJJHAmU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ebrgPO4dBY+MgiSHFgrpr4RxQtdrW62IGHA6b+w8oy6VxuQ1S4Nkv+1WTOYvKFjDnfLWWsM+kyC/IPbRhNstJTJjfgyqwepcvi+N1tDENgZRlmfgsgwNKyTtuEOfxHeviPBQRR+kuEDxGTbPsxUbekOLbquE3XsMJx3X0Z2vP3c= Received: by 10.78.181.13 with SMTP id d13mr459150huf.1172502813998; Mon, 26 Feb 2007 07:13:33 -0800 (PST) Received: by 10.78.40.7 with HTTP; Mon, 26 Feb 2007 07:13:33 -0800 (PST) Message-ID: <5d2f37910702260713p5225507bk4fd4024357761fc7@mail.gmail.com> Date: Mon, 26 Feb 2007 08:13:33 -0700 From: Curby To: "Nikos Vassiliadis" In-Reply-To: <200702261125.16649.nvass@teledomenet.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> <200702261125.16649.nvass@teledomenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Feb 2007 15:13:40 -0000 Thanks for the replies! On 2/25/07, Andrew Pantyukhin wrote: > On 2/25/07, Curby wrote: > If you don't forward packets, then it's not very different, > packets for "not me" are gonna get dropped anyway right > after the firewall. Thanks! I think I found a case where to all is preferable over to me. Since SMB seems to like broadcasting things, I'm allowing like the following instead of to me: allow udp from any 137,138 to any in keep-state I guess I could write a rule with "to me" and another with the broadcast address of my subnet, but this is simpler. =) > There are a lot of complicated/illegal configurations > when verrevpath shoots you in the foot. Keeping rules > simple and stupid will save you a lot of headache in > the end. I'll keep that in mind as I go forward. I'm interested in trying to do traffic control and NAT via hand-written configurations. =) On 2/26/07, Nikos Vassiliadis wrote: > Most ready-to-use rulesets will have such generalizations. It's not > much of a difference, you can't say they are wrong and since you know > exactly what you want to achieve, it's up to you to change them to > fit perfectly your situation... Yeah, I wasn't really asking about the default/policy rule so much as asking for opinions on "to me" vs "to all" for service-related rules, like: allow tcp from any to me 22 in keep-state As I found out, troublesome UDP protocols sometimes send to multicast/broadcast addresses so that might be a reason for "to all". > I don't know about Mac but on FreeBSD they are redundant anyway. > The TCP/IP stack denies packets from/to 127/8 coming from a wire, > and it also denies sending packets to/from 127/8 down to a wire. Thanks for the notes about the multicast address space. I guess I'll just try to keep the ruleset simple and compact, then tweak as I go. Thanks!