Date: Mon, 02 Jun 2003 12:01:44 -0400 From: Chuck Swiger <cswiger@mac.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw and hostnames Message-ID: <3EDB74E8.8020406@mac.com> In-Reply-To: <00d701c328d3$54612910$812a40c1@PETEX31> References: <001f01c32831$296b9210$812a40c1@PETEX31><3EDA498D.3000307@mac.com> <008f01c32875$c210c730$812a40c1@PETEX31> <3EDA5A7F.6060204@mac.com> <00d701c328d3$54612910$812a40c1@PETEX31>
next in thread | previous in thread | raw e-mail | index | archive | help
Petri Helenius wrote: [ ... ] > Thatīs an another defect in ipfw client utility, it stops processing rules if > it fails to lookup something. There should at least be a switch to allow > it to continue and ignore the lines it cannot do. If you really want to use names instead of IP addresses, try somthing like the following from /etc/rc.conf: #firewall_type='/etc/MY_firewall' #firewall_flags='-p /usr/bin/cpp' ...and /etc/MY_firewall: #### # set these to your inside interface network and netmask and ip #define IIF sis0 #define INET 192.168.1.0/24 #define IIP 192.168.1.2 #define OIF fxp0 #define ONET xxx #define OIP xxx #define LOCALHOST 127.0.0.1 #define HOST1 1.2.3.4 # port number ranges #define LOPORTS 1-1023 #define HIPORTS 1024-65535 #### # Bandwidth limitation add 10 pipe 11 tcp from any to any in via IIF add pipe 11 udp from any to any in via IIF add pipe 11 ip from any to any in via IIF pipe 11 config queue 60 add pipe 12 tcp from any to any out via IIF add pipe 12 udp from any to any out via IIF add pipe 12 ip from any to any out via IIF pipe 12 config queue 60 # add rules here add 65000 allow ip from any to any > And in case you were wondering, I donīt believe in perimeter security, > so we run packet filters on all machines, not just on something some people > call the magic-security-device-on-the-border alias "firewall". It's certainly true that good security consists of more than just a magic box called a firewall. If you configure your hosts securely so that they are safe even without a "packet filtering router", you'll be doing much better than average. That being said, saying "I don't believe in perimeter security" is akin to saying "I don't see a difference between a network and a group of hosts". -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EDB74E8.8020406>