Date: Tue, 27 Feb 2001 10:21:51 +1100 From: Tony Landells <ahl@austclear.com.au> To: Duraid <latif2221@home.com> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: NAT with ipfw? Message-ID: <200102262321.KAA07949@tungsten.austclear.com.au> In-Reply-To: Message from Duraid <latif2221@home.com> of "Mon, 26 Feb 2001 07:55:05 -0000." <3A9A0BD9.FE92DCB4@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> if the default policy is to deny every thing then why you firewall is > full with deny rulls. shouldn't it just have the allow rulls since > everything else is going to be droped by default. Because sometimes it's easier to weed out some stupid stuff early on so that the allow rules are simpler. For example, without using a deny rule, try to do the following: permit telnet to 192.43.185.68 from anything except RFC1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). It just doesn't work. > other thing i think your firewall is stateless (using establish). if you > have made it statefull (using keep-state) i think it would be much > smaller. It would be different, maybe better, maybe worse depending on your views. For an example configuration, I think this version is easier for newbies to understand. People that understand state properly can work out how to code it with less help (usually). But that's just my opinion. Cheers, Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102262321.KAA07949>