From owner-freebsd-security Fri May 5 0: 0:31 2000 Delivered-To: freebsd-security@freebsd.org Received: from draenor.org (draenor.org [196.36.204.219]) by hub.freebsd.org (Postfix) with ESMTP id 49E5837BAFE for ; Fri, 5 May 2000 00:00:14 -0700 (PDT) (envelope-from marcs@draenor.org) Received: from marcs by draenor.org with local (Exim 3.12 #1) id 12nc76-0001BK-00; Fri, 05 May 2000 09:01:28 +0200 Date: Fri, 5 May 2000 09:01:28 +0200 From: Marc Silver To: Dan O'Connor Cc: freebsd-security@freebsd.org Subject: Re: Firewall Rules Message-ID: <20000505090128.A4456@draenor.org> References: <016c01bfb65d$aaf59c20$0200000a@danco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <016c01bfb65d$aaf59c20$0200000a@danco>; from dan@mostgraveconcern.com on Thu, May 04, 2000 at 11:42:00PM -0700 X-Operating-System: FreeBSD 3.4-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey Dan, Your feedback is much appreciated, and I have modified the rules (and my document) based on your suggestions. On Thu, May 04, 2000 at 11:42:00PM -0700, Dan O'Connor wrote: > > > Are you talking about User-PPP? (I assume so, since you use 'tun0' in your > rules.) You do know that ppp(8) has built-in NAT and filtering (which is > easier than IPFW), so that you don't need IPFW and NATD? > Do you feel that userland ppp is as safe as the kernel firewalling options? I would like to gain a better understanding. What are the major differences between the two? > This one will allow incoming connections to your web server. BTW, 'allow' > and 'pass' are the same, is there a particular reason you changed > terminology? Also, you probably won't want to log this, since web traffic > generates huge amounts of connections, and your web server will log it all > anyway... Didn't know that pass and allow were the same thing....thanks. Also, the logging of http was a typo, but thanks for pointing it out. > You might consider adding '$fwcmd allow udp from any to any 33434-33463' if > you want to let people do a traceroute to you... Also very useful, thank you. > You might want to also take a look at the anti-spoofing rules in the SIMPLE > section of /etc/rc.firewall. Will look at this too. Thanks, Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message