From owner-freebsd-current Mon Jan 1 6:51: 4 2001 From owner-freebsd-current@FreeBSD.ORG Mon Jan 1 06:51:01 2001 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from bsdconspiracy.net (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5F0D637B400 for ; Mon, 1 Jan 2001 06:51:01 -0800 (PST) Received: from zaphod.softweyr.com ([204.68.178.35] helo=softweyr.com ident=wes) by bsdconspiracy.net with esmtp (Exim 3.14 #1) id 14D6Go-0001uZ-00; Mon, 01 Jan 2001 07:49:06 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A509994.D341766A@softweyr.com> Date: Mon, 01 Jan 2001 07:52:04 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: "Louis A. Mamakos" Cc: Gerhard Sittig , freebsd-current@FreeBSD.ORG Subject: Re: IGMP queries References: <001f01c07286$9a055a00$0e00a8c0@neland.dk> <20001230215241.M253@speedy.gsinet> <200012311049.eBVAnBr23486@whizzo.transsys.com> <20001231215515.Q253@speedy.gsinet> <200101010546.f015k9r27506@whizzo.transsys.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Louis A. Mamakos" wrote: > > EGP hasn't been in wide use for probably 7 or 8 years now. > > I think the real problem with this dynamic link issue and keeping the > connection up is that the default policy is wrong. You ought to > specify what sort of traffic is "important" and should cause a > dynamic link to be established (and kept up), rather than trying > to exclude things. > > For example, you'd probably not want to have NTP establish or keep > your link up; perhaps not DNS, either. Probabably you'd want > TCP/SSH or TCP/HTTPD though. Most SSH and HTTP traffic is preceeded by a DNS lookup; if you don't allow the DNS traffic, the SSH or HTTP traffic will never occur. Trying to predict how these things happen is a non-obvious exercise that requires careful study or you will break things horribly. We tune our default firewall configuration by practicing on our real, live internet connection at work, just to make sure we're not cutting off our customers heads. It can be quite irritating at times, but fits with the "eat your own dog food" philosophy. -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message