Date: Mon, 26 Feb 2007 08:13:33 -0700 From: Curby <curby.public@gmail.com> To: "Nikos Vassiliadis" <nvass@teledomenet.gr> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw questions Message-ID: <5d2f37910702260713p5225507bk4fd4024357761fc7@mail.gmail.com> In-Reply-To: <200702261125.16649.nvass@teledomenet.gr> References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> <200702261125.16649.nvass@teledomenet.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for the replies! On 2/25/07, Andrew Pantyukhin <infofarmer@freebsd.org> wrote: > On 2/25/07, Curby <curby.public@gmail.com> wrote: > If you don't forward packets, then it's not very different, > packets for "not me" are gonna get dropped anyway right > after the firewall. Thanks! I think I found a case where to all is preferable over to me. Since SMB seems to like broadcasting things, I'm allowing like the following instead of to me: allow udp from any 137,138 to any in keep-state I guess I could write a rule with "to me" and another with the broadcast address of my subnet, but this is simpler. =) > There are a lot of complicated/illegal configurations > when verrevpath shoots you in the foot. Keeping rules > simple and stupid will save you a lot of headache in > the end. I'll keep that in mind as I go forward. I'm interested in trying to do traffic control and NAT via hand-written configurations. =) On 2/26/07, Nikos Vassiliadis <nvass@teledomenet.gr> wrote: > Most ready-to-use rulesets will have such generalizations. It's not > much of a difference, you can't say they are wrong and since you know > exactly what you want to achieve, it's up to you to change them to > fit perfectly your situation... Yeah, I wasn't really asking about the default/policy rule so much as asking for opinions on "to me" vs "to all" for service-related rules, like: allow tcp from any to me 22 in keep-state As I found out, troublesome UDP protocols sometimes send to multicast/broadcast addresses so that might be a reason for "to all". > I don't know about Mac but on FreeBSD they are redundant anyway. > The TCP/IP stack denies packets from/to 127/8 coming from a wire, > and it also denies sending packets to/from 127/8 down to a wire. Thanks for the notes about the multicast address space. I guess I'll just try to keep the ruleset simple and compact, then tweak as I go. Thanks!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5d2f37910702260713p5225507bk4fd4024357761fc7>