Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Jan 2003 02:44:18 +0300 (MSK)
From:      "."@babolo.ru
To:        Nate Williams <nate@yogotech.com>
Cc:        "."@babolo.ru, Josh Brooks <user@mail.econolodgetulsa.com>, Sean Chittenden <sean@chittenden.org>, freebsd-hackers@FreeBSD.ORG
Subject:   Re: FreeBSD firewall for high profile hosts - waste of time ?
Message-ID:  <200301162344.h0GNiIZk002530@aaz.links.ru>
In-Reply-To: <15911.15011.409213.712266@emerger.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> > Try this simple ruleset:
> > 
> > possible deny log tcp from any to any setup tcpoptions !mss
> > 
> > ipfw add allow ip from any to any out
> > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > ipfw add deny log ip from any to any
> 
> I'd limit these to the outside interface, for performance rules.
> 
> # Whatever the interface is...
> outif="fxp0"
> ipfw add allow ip from any to any out via ${outif}
> ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
> ipfw add deny log ip from any to any via ${outif}
> 
> etc...
Your above ruleset seems to be correct ... if add
some rule for outcoming traffic.
I was too fast and keep in mind only incoming traffic.

Effectivity depends on number of interfaces.
If I remember right, one external and one internal.
If such, the ruleset without interfaces defined
for allow rules is not worse then without interfaces IMHO.

> Or, you could do.
> # The internal interface is not filtered
> intif="fxp1"
> ipfw add allow all from any to any via ${inif}
> 
> # Everything else only applies to the external interface
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any
Agreed

> Nate
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message

-- 
@BABOLO      http://links.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200301162344.h0GNiIZk002530>