Date: Mon, 26 Feb 2007 11:25:16 +0200 From: Nikos Vassiliadis <nvass@teledomenet.gr> To: freebsd-questions@freebsd.org Cc: Curby <curby.public@gmail.com> Subject: Re: ipfw questions Message-ID: <200702261125.16649.nvass@teledomenet.gr> In-Reply-To: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 25 February 2007 13:33, Curby wrote:
> I'm using IPFW2 on a Mac, but hopefully these questions are general
> enough for this list.
>
> First, is there any reason not to prefer "from any to any" over "from
> any to me" when adding rules to allow access to local services? Some
> ipfw configurations I've found use "from any to any," which doesn't
> seem bad except that it's unnecessarily general.
>
Firewalls also protect networks and not just single computers.
These rules are quite generic. A "deny ip from any to any"
would be a good default for a firewall and so it is by default:
from ipfw man:
An ipfw ruleset always includes a default rule (numbered 65535) which
cannot be modified or deleted, and matches all packets. The action asso-
ciated with the default rule can be either deny or allow depending on how
the kernel is configured.
Most ready-to-use rulesets will have such generalizations. It's not
much of a difference, you can't say they are wrong and since you know
exactly what you want to achieve, it's up to you to change them to
fit perfectly your situation...
> Also, there's a verrevpath option but Apple's default ruleset still
> uses the following:
>
> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in
> deny log ip from 224.0.0.0/3 to any in
> deny log tcp from any to 224.0.0.0/3 in
>
> Is it correct that verrevpath should make these redundant/obsolete?
> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in
I don't know about Mac but on FreeBSD they are redundant anyway.
The TCP/IP stack denies packets from/to 127/8 coming from a wire,
and it also denies sending packets to/from 127/8 down to a wire.
> deny log ip from 224.0.0.0/3 to any in
A 224/4 source address is just not valid. The rest
(240/4) is reserved for future use.
> deny log tcp from any to 224.0.0.0/3 in
Also, it's not possible to multicast TCP(224/4). Since
240/4 is reserved for future I would say they are invalid
too.
So, these rules protect weak TCP/IP stacks. They are filtering
what is already invalid.
> It'd be nice to have one rule instead of 4, but I'm wondering why
> Apple isn't using its own supported features. Thanks!
I would feel safe without such firewall rules on a personal FreeBSD box.
Also if you don't feel safe, remember that ipfw comes with a "deny ip
from any to any" rule by default.
HTH, Nikos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200702261125.16649.nvass>