From owner-freebsd-ipfw@FreeBSD.ORG  Tue Apr 14 21:22:06 2015
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4832991E
 for <freebsd-ipfw@freebsd.org>; Tue, 14 Apr 2015 21:22:06 +0000 (UTC)
Received: from mail-in4.apple.com (mail-out4.apple.com [17.151.62.26])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1C8522E0
 for <freebsd-ipfw@freebsd.org>; Tue, 14 Apr 2015 21:22:05 +0000 (UTC)
Received: from relay6.apple.com (relay6.apple.com [17.128.113.90])
 by mail-in4.apple.com (Apple Secure Mail Relay) with SMTP id
 C3.05.18963.7F48D255; Tue, 14 Apr 2015 14:21:59 -0700 (PDT)
X-AuditID: 11973e12-f79456d000004a13-0c-552d84f793a2
Received: from [17.149.236.90] (Unknown_Domain [17.149.236.90])
 (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by relay6.apple.com (Apple SCV relay) with SMTP id 7E.51.07752.FB48D255;
 Tue, 14 Apr 2015 14:21:03 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Subject: Re: ipfw on just inbound and not outbound
From: Charles Swiger <cswiger@mac.com>
In-Reply-To: <20150414210901.GA10620@strugglingcoder.info>
Date: Tue, 14 Apr 2015 14:21:59 -0700
Cc: freebsd-ipfw@freebsd.org,
 nitroboost@gmail.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <D8BD0557-9D3A-4F89-A988-57B76F68D650@mac.com>
References: <20150414210901.GA10620@strugglingcoder.info>
To: hiren panchasara <hiren@strugglingcoder.info>
X-Mailer: Apple Mail (2.2098)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUi2FAYpfu9RTfUYPIebYvGHY+ZLd5u2Mdq
 MX1nM7sDs8eMT/NZPHbOusvusbl9BVsAcxSXTUpqTmZZapG+XQJXRsen94wFDWwVP5/cZWlg
 vMXSxcjJISFgIjH76h92CFtM4sK99WxdjFwcQgJ7GSWW7fsGV9S25jQLRGIqk8TlY6uYQRLM
 AloSN/69ZAKxeQX0JB49fQw0iYNDWMBI4tItbxCTTUBNYsJEHhCTU8BK4u8BsIksAqoST+a9
 YoUYYiJx+OcqRghbW2LZwtfMEAOtJE68ugVmCwlYStzevxOsV0TAUOL1gzOsICMlBGQlvm6V
 gziykU3i+y+9CYxCs5CcNgvJabOQbFjAyLyKUSg3MTNHNzPPRC+xoCAnVS85P3cTIyicp9sJ
 7WA8tcrqEKMAB6MSD+8JH51QIdbEsuLK3EOM0hwsSuK8l8N1Q4UE0hNLUrNTUwtSi+KLSnNS
 iw8xMnFwSjUwLrjDI8O61nNW1ZGVytpKE9n2Tg6vDbjX/1iK6+b8jYYnD0us8NjM38vzZcsl
 dpVe21a1Dx/dhV6+z/h55smrYMHdf74mLH71zDDB2n3C7rU3mFPyjPVm5T5Ir9ZKjdlp1xWz
 fPoGXqGYA/0bVNXuL35jI5GQn7Z7A8Omw5Zy3S+C01acnPfilxJLcUaioRZzUXEiAIvWEoVI
 AgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJLMWRmVeSWpSXmKPExsUiOPVNlO7+Ft1QgwnvlS0adzxmtni7YR+r
 xfSdzewOzB4zPs1n8dg56y67x+b2FWwBzFFcNimpOZllqUX6dglcGR2f3jMWNLBV/Hxyl6WB
 8RZLFyMnh4SAiUTbmtNQtpjEhXvr2boYuTiEBKYySVw+tooZJMEsoCVx499LJhCbV0BP4tHT
 x+xdjBwcwgJGEpdueYOYbAJqEhMm8oCYnAJWEn8PgE1kEVCVeDLvFSvEEBOJwz9XMULY2hLL
 Fr5mhhhoJXHi1S0wW0jAUuL2/p1gvSIChhKvH5xhBRkpISAr8XWr3ARG/llIzpmF5JxZSKYu
 YGRexShQlJqTWGmml1hQkJOql5yfu4kRFIANhVE7GBuWWx1iFOBgVOLhPeGjEyrEmlhWXJl7
 iFGCg1lJhPdtjG6oEG9KYmVValF+fFFpTmrxIUZpDhYlcV6lYJVQIYH0xJLU7NTUgtQimCwT
 B6dUA2Oy5rLzK+/4vRR1exO7895y0+8Sm78tsMj8qi29Sm5ZDOukibPW7UxVvq12IuWGENvG
 v/ZBy7Ze6So/9Pelf/hSzsKQq/8tnzB8WBTquFLTu81ogdjMe7PfL5iz5F/js6WpioZLa3Si
 Xmncidj09SzT/Q5bkRP+U2f2iZy6bBUlvdwhXmafT9xFJZbijERDLeai4kQAYpTx3DwCAAA=
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2015 21:22:06 -0000

On Apr 14, 2015, at 2:09 PM, hiren panchasara =
<hiren@strugglingcoder.info> wrote:
> Apologies if this is something silly but I want to completely =
eliminate
> ipfw from outgoing traffic perspective. I just want to have it on
> incoming. I can always add "allow ip from any to any out" as the first
> rule but that is still ipfw doing something.
>=20
> Is there a way to tell ipfw to not look at outbound traffic at all?
>=20
> OR, the rule I mentioned is the best that can be done here?

Blocking outbound traffic can be more important to security than =
blocking
inbound traffic-- for one reason, see BCP 38 / RFC-2827.  The rule =
you've
suggested is the best that can be done, aside from disabling IPFW =
entirely.

Regards,
--=20
-Chuck