Date: Tue, 18 Jan 2000 09:40:33 -0800 (PST) From: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> To: jwyatt@rwsystems.net (James Wyatt) Cc: oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG Subject: Re: New Firewall Message-ID: <200001181740.JAA48605@gndrsh.dnsmgr.net> In-Reply-To: <Pine.BSF.4.10.10001181118180.42481-100000@bsdie.rwsystems.net> from James Wyatt at "Jan 18, 2000 11:22:31 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > The following rules can help if you are going to be running SMTP, HTTP, > > POP3, and HTTPS, delete what you don't need. > [ ... ] > > # -- Deny setup of other incoming connections > > ipfw add deny tcp from any to any setup > > > > # -- Deny other incoming IP packets. > > ipfw add deny ip from any to any > > These rules are duplicate, so you can drop the first one. The last rule is > commonly the default in /etc/rc.firewall as well. That aside, I might keep > the first one and change it to '... deny log ...", thus logging connection > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > is all about... - Jy@ These rules are not equivelent, ip != tcp, and setup != null. The first rule is _VERY_ important. The second can be eliminated, see other email from me on missing ``setup'' on all the other rules... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001181740.JAA48605>