From owner-freebsd-ipfw Wed Jan 19 21: 1: 7 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 1C6AF14DC3; Wed, 19 Jan 2000 21:01:02 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id VAA53835; Wed, 19 Jan 2000 21:00:29 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200001200500.VAA53835@gndrsh.dnsmgr.net> Subject: Re: New Firewall In-Reply-To: <20000119234827.A70698@cc942873-a.ewndsr1.nj.home.com> from "Crist J. Clark" at "Jan 19, 2000 11:48:27 pm" To: cjc@cc942873-a.ewndsr1.nj.home.com (Crist J. Clark) Date: Wed, 19 Jan 2000 21:00:29 -0800 (PST) Cc: jwyatt@rwsystems.net (James Wyatt), oogali@intranova.net (Omachonu Ogali), briang@expnet.net (Brian Gallucci), isp@FreeBSD.ORG, freebsd-ipfw@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Tue, Jan 18, 2000 at 09:40:33AM -0800, Rodney W. Grimes wrote: > > > On Tue, 18 Jan 2000, Omachonu Ogali wrote: > > > > The following rules can help if you are going to be running SMTP, HTTP, > > > > POP3, and HTTPS, delete what you don't need. > > > [ ... ] > > > > # -- Deny setup of other incoming connections > > > > ipfw add deny tcp from any to any setup > > > > > > > > # -- Deny other incoming IP packets. > > > > ipfw add deny ip from any to any > > > > > > These rules are duplicate, so you can drop the first one. The last rule is > > > commonly the default in /etc/rc.firewall as well. That aside, I might keep > > > the first one and change it to '... deny log ...", thus logging connection > > > attempts. On the other hand, that's what log_in_vain="YES" in /etc/rc.conf > > > is all about... - Jy@ I missed this the first time around. log_in_vain will not always do what a log deny would do on this rule. log_in_vain will only catch connections to the router/host, not packets passing through the router if it is a real firewall/forwarding engine. > > > > These rules are not equivelent, ip != tcp, and setup != null. The first > > rule is _VERY_ important. The second can be eliminated, see other email > > from me on missing ``setup'' on all the other rules... > > Huh? > > While it's true the rules are obviously not "duplicates" or > "equivalent," the first one is not necessary when these two appear next > to one another and no logging is done (like it is written). Then it would have been clearer had you said ``The second rule is redundant because...'' > Anything > that would be denied by the first rule would be denied by the > second, i.e. all packets that match the first rule are a subset of the > packets that match the second. Yes, that is true, however I still stand by my statement, and you confirm that here, that ``these rules are not equivelent'' > > Or am I missing something? Yea, that people often add rules between other rules, especially between those 2 rules :-). (For example that is one place that ttcp syn/fin packet processing can be done.) -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message