From owner-freebsd-ipfw  Wed Jan 19 20:45: 1 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4826114E9F; Wed, 19 Jan 2000 20:44:57 -0800 (PST)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA71154;
	Wed, 19 Jan 2000 23:48:27 -0500 (EST)
	(envelope-from cjc)
Date: Wed, 19 Jan 2000 23:48:27 -0500
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net>
Cc: James Wyatt <jwyatt@rwsystems.net>,
	Omachonu Ogali <oogali@intranova.net>,
	Brian Gallucci <briang@expnet.net>, isp@FreeBSD.ORG,
	freebsd-ipfw@FreeBSD.ORG
Subject: Re: New Firewall
Message-ID: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com>
References: <Pine.BSF.4.10.10001181118180.42481-100000@bsdie.rwsystems.net> <200001181740.JAA48605@gndrsh.dnsmgr.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <200001181740.JAA48605@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Jan 18, 2000 at 09:40:33AM -0800
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote:
> > On Tue, 18 Jan 2000, Omachonu Ogali wrote:
> > > The following rules can help if you are going to be running SMTP, HTTP,
> > > POP3, and HTTPS, delete what you don't need.
> > 	[ ... ]
> > > # -- Deny setup of other incoming connections
> > > ipfw add deny tcp from any to any setup
> > > 
> > > # -- Deny other incoming IP packets.
> > > ipfw add deny ip from any to any
> > 
> > These rules are duplicate, so you can drop the first one. The last rule is
> > commonly the default in /etc/rc.firewall as well. That aside, I might keep
> > the first one and change it to '... deny log ...", thus logging connection
> > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf
> > is all about... - Jy@
> 
> These rules are not equivelent, ip != tcp, and setup != null.  The first
> rule is _VERY_ important.  The second can be eliminated, see other email
> from me on missing ``setup'' on all the other rules...

Huh?

While it's true the rules are obviously not "duplicates" or
"equivalent," the first one is not necessary when these two appear next
to one another and no logging is done (like it is written). Anything
that would be denied by the first rule would be denied by the
second, i.e. all packets that match the first rule are a subset of the
packets that match the second.

Or am I missing something?
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message