From owner-freebsd-questions Mon Feb 26 15:21:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id E524937B4EC for ; Mon, 26 Feb 2001 15:21:53 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id KAA23017; Tue, 27 Feb 2001 10:21:52 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id KAA07949; Tue, 27 Feb 2001 10:21:52 +1100 (EST) Message-Id: <200102262321.KAA07949@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Duraid Cc: "freebsd-questions@FreeBSD.ORG" Subject: Re: NAT with ipfw? In-Reply-To: Message from Duraid of "Mon, 26 Feb 2001 07:55:05 -0000." <3A9A0BD9.FE92DCB4@home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 27 Feb 2001 10:21:51 +1100 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > if the default policy is to deny every thing then why you firewall is > full with deny rulls. shouldn't it just have the allow rulls since > everything else is going to be droped by default. Because sometimes it's easier to weed out some stupid stuff early on so that the allow rules are simpler. For example, without using a deny rule, try to do the following: permit telnet to 192.43.185.68 from anything except RFC1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). It just doesn't work. > other thing i think your firewall is stateless (using establish). if you > have made it statefull (using keep-state) i think it would be much > smaller. It would be different, maybe better, maybe worse depending on your views. For an example configuration, I think this version is easier for newbies to understand. People that understand state properly can work out how to code it with less help (usually). But that's just my opinion. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message