Date: Fri, 5 May 2000 09:01:28 +0200 From: Marc Silver <marcs@draenor.org> To: Dan O'Connor <dan@mostgraveconcern.com> Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <20000505090128.A4456@draenor.org> In-Reply-To: <016c01bfb65d$aaf59c20$0200000a@danco>; from dan@mostgraveconcern.com on Thu, May 04, 2000 at 11:42:00PM -0700 References: <016c01bfb65d$aaf59c20$0200000a@danco>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Dan, Your feedback is much appreciated, and I have modified the rules (and my document) based on your suggestions. On Thu, May 04, 2000 at 11:42:00PM -0700, Dan O'Connor wrote: > <snip> > > Are you talking about User-PPP? (I assume so, since you use 'tun0' in your > rules.) You do know that ppp(8) has built-in NAT and filtering (which is > easier than IPFW), so that you don't need IPFW and NATD? > Do you feel that userland ppp is as safe as the kernel firewalling options? I would like to gain a better understanding. What are the major differences between the two? > This one will allow incoming connections to your web server. BTW, 'allow' > and 'pass' are the same, is there a particular reason you changed > terminology? Also, you probably won't want to log this, since web traffic > generates huge amounts of connections, and your web server will log it all > anyway... Didn't know that pass and allow were the same thing....thanks. Also, the logging of http was a typo, but thanks for pointing it out. > You might consider adding '$fwcmd allow udp from any to any 33434-33463' if > you want to let people do a traceroute to you... Also very useful, thank you. > You might want to also take a look at the anti-spoofing rules in the SIMPLE > section of /etc/rc.firewall. Will look at this too. Thanks, Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000505090128.A4456>