Date: Sun, 16 Jun 2002 22:34:29 -0400 From: grimm <grimm@planetquake.com> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: crist.clark@attbi.com, freebsd-security@FreeBSD.ORG Subject: Re: ipfw-ntad-jail Message-ID: <20020616223429.2f200728.grimm@planetquake.com> In-Reply-To: <20020616135903.B94357@blossom.cjclark.org> References: <20020616134201.529b01aa.grimm@planetquake.com> <20020616135903.B94357@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings Crist, What I find odd is that I read that section of my rules from a tutorial on the o'reilly site. I read through a bunch of tutors and help pages and never saw the keyword "me" being used. But I will definately give it a try. Like I said, I read that 351 rule directly from a tutorial. The problem I am having is that I don't have the machine at home, and sending messages to the list from work wasn't working! I am so glad to have gotten so much feedback already! I am new to this, but what can you suggest I do. Are there some rules in there you think are trouble and I should edit or comment out and test with something else? I mean, so far I've gotten great help, but no one has mentionned a specific rule which is WRONG! so I am not really sure where to begin. I'll take your advice and see where that leads. As for the logging, great idea! I'll also enable log_in_vain. cheers, __ Andrew "Crist J. Clark" <crist.clark@attbi.com> wrote: > OK, some problems here. First, ITYM to have rules like, > > add allow tcp from any to me 80 in via xl0 > add allow tcp from me 80 to any out via xl0 > > No? Second, these won't work since you are blocking all TCP > connections that are not using 'keep-state' with rule 351. >>> add 00350 check-state >>> add 00351 deny tcp from any to any in established >>> add 00352 allow tcp from any to any out setup keep-state > But... > Always a good idea to add a, > > 65534 deny log ip from any to any > > Or something like it to help debugging. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020616223429.2f200728.grimm>