Date: Thu, 24 May 2001 21:52:27 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Doug Barton" <DougB@DougBarton.net>, "Steve Price" <steve@havk.org> Cc: <questions@FreeBSD.ORG> Subject: RE: reloading firewall rules remotely Message-ID: <000101c0e4d6$7f73be80$1401a8c0@tedm.placo.com> In-Reply-To: <3B0DB74F.7289B884@DougBarton.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Let me warn you that there's a right way and a wrong way to do this. Typically, firewalls with an explicit accept at the end are intended to be used for "masking off" specific undesirable protocols. For example if you had a network that you didn't want to take responsibility for firewalling (perhaps your an ISP) but you wanted to block a specific protocol or IP number. Or, if you put rules like this on an internal corporate WAN which you didn't want employees using to play network games. In this case the rule list is a number of "deny" rules. Firewalls with an explicit "deny" are used for Internet firewalls because the idea here is you want to create "holes" for only very specifically defined protocols. In this case the rule list is a number of "accept" rules. If your testing a firewall then you might want to set it up with an explicit accept, then _manually_ put in the deny everything rule at the end of the list. That way when your working on it, you remove that rule, do your work, then put it back in for testing. But, most security authorities feel that the explicit deny is much safer for an Internet firewall. Keep this in mind when creating your rule set. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Doug Barton >Sent: Thursday, May 24, 2001 6:37 PM >To: Steve Price >Cc: questions@FreeBSD.ORG >Subject: Re: reloading firewall rules remotely > > >Steve Price wrote: >> >> Ok now I feel more stupid that I usually do. What is the proper >> method to reloading ipfw rules from a remote box? I thought >> running it in the background worked but evidently not. :( > > While the advice you got on this old thread was mostly >good, the most >obvious solution was not stated. Namely, make your default rule "accept" by >including that kernel option. Then you can reload rules all day long and >not have to worry, unless you need the ultra-paranoid protection that >having the default of "deny" gives you. > >-- > I need someone really bad. Are you really bad? > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000101c0e4d6$7f73be80$1401a8c0>