Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 24 May 2001 21:52:27 -0700
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Doug Barton" <DougB@DougBarton.net>, "Steve Price" <steve@havk.org>
Cc:        <questions@FreeBSD.ORG>
Subject:   RE: reloading firewall rules remotely
Message-ID:  <000101c0e4d6$7f73be80$1401a8c0@tedm.placo.com>
In-Reply-To: <3B0DB74F.7289B884@DougBarton.net>

next in thread | previous in thread | raw e-mail | index | archive | help
Let me warn you that there's a right way and a wrong way to
do this.

Typically, firewalls with an explicit accept at the end are
intended to be used for "masking off" specific undesirable
protocols.  For example if you had a network that you didn't
want to take responsibility for firewalling (perhaps your an
ISP) but you wanted to block a specific protocol or IP number.
Or, if you put rules like this on an internal corporate WAN which
you didn't want employees using to play network games.  In this
case the rule list is a number of "deny" rules.

Firewalls with an explicit "deny" are used for Internet firewalls
because the idea here is you want to create "holes" for only very
specifically defined protocols.  In this case the rule list is
a number of "accept" rules.

If your testing a firewall then you might want to set it up with
an explicit accept, then _manually_ put in the deny everything
rule at the end of the list.  That way when your working on it,
you remove that rule, do your work, then put it back in for
testing.

But, most security authorities feel that the explicit deny is
much safer for an Internet firewall.  Keep this in mind when
creating your rule set.

Ted Mittelstaedt                      tedm@toybox.placo.com
Author of:          The FreeBSD Corporate Networker's Guide
Book website:         http://www.freebsd-corp-net-guide.com


>-----Original Message-----
>From: owner-freebsd-questions@FreeBSD.ORG
>[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Doug Barton
>Sent: Thursday, May 24, 2001 6:37 PM
>To: Steve Price
>Cc: questions@FreeBSD.ORG
>Subject: Re: reloading firewall rules remotely
>
>
>Steve Price wrote:
>>
>> Ok now I feel more stupid that I usually do.  What is the proper
>> method to reloading ipfw rules from a remote box?  I thought
>> running it in the background worked but evidently not. :(
>
>	While the advice you got on this old thread was mostly
>good, the most
>obvious solution was not stated. Namely, make your default rule "accept" by
>including that kernel option. Then you can reload rules all day long and
>not have to worry, unless you need the ultra-paranoid protection that
>having the default of "deny" gives you.
>
>--
>    I need someone really bad. Are you really bad?
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c0e4d6$7f73be80$1401a8c0>