FreeBSD Mail Archives

Date:      Fri, 18 Sep 2009 13:52:28 -0400
From:      Steve Bertrand <steve@ibctech.ca>
To:        Freeco <freeco@inbox.lv>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPF, NAT or NIC
Message-ID:  <4AB3C8DC.7000509@ibctech.ca>
In-Reply-To: <25512314.post@talk.nabble.com>
References:  <25491958.post@talk.nabble.com>	<20090917174950.GC34712@ei.bzerk.org>	<25504647.post@talk.nabble.com>	<200909180815.n8I8FpFS045063@banyan.cs.ait.ac.th>	<25507235.post@talk.nabble.com> <4AB37AE0.2070409@ibctech.ca>	<4AB37F5D.50206@ibctech.ca> <25509501.post@talk.nabble.com>	<4AB397CF.2030809@ibctech.ca> <25510716.post@talk.nabble.com>	<4AB3AE47.1090403@ibctech.ca> <25511903.post@talk.nabble.com>	<4AB3BA03.5030603@ibctech.ca> <25512314.post@talk.nabble.com>


[-- Attachment #1 --]
Freeco wrote:
> Ok, thanks for advice about switch. You really helped me so much. Now i'll
> get with my ipf and nat rules.

I'm glad I could help. So many people here and on other lists have
helped me significantly over the years, so I try to give back whenever I
can/have time.

> What ports u recomend to keep open and how to block gateway ping?

About the ports....that depends on what you are going to do. My theory
is, unless you are an Internet Provider, all ports should be closed by
default, and opened on an as-is needed basis. Generally, there isn't
very much that will break if you block everything coming into the ISP
side of your gateway (so long as you are using the firewall as a
'stateful' firewall).

On the other hand, having the idea that "wide open and block certain
things" leads to accidentally leaving things like SSH on your gateway
accessible.

As for the ping.

I am generally dead against blocking any type of ICMP. I've spent
countless nights trying to troubleshoot wide-scale Internet reachability
problems because someone out there decided that blocking ICMP was the
same as blocking ping. This goes against my above 'deny everything', but
it's my only exception. Those who have ever had to deal with pmtud
issues when it's least expected know exactly what I mean.

Issues caused by careless filtering of ICMP can have the same effect to
a home user as it does to an ISP, but the home user will likely have a
much harder time figuring out what is wrong :)

For instance, most will do the following:

# ipfw add 100 deny icmp from any to any in

You just broke Path MTU Discovery, lost the ability to learn when a
remote port/host is unreachable, and our tests earlier would have failed
as well. If your firewall is clamped down, there is no real good reason
to block ping requests IMHO.

If you don't want others on the WAN side to be able to ping you, block
ICMP Type 8 messages inbound only. In IPFW, it would look like this:

# ipfw add 10 deny icmp from any to me in via $ext_if icmptypes 8
# ipfw add 15 allow icmp from any to any

...but my personal recommendation is to not do it. Even for the simple
fact that if you ever have to call your ISP for support, pinging is one
of the most basic and helpful utilities available.

Again, IMHO.

Cheers,

Steve

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
���0��0�C�K9�����AbxI�U�w0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��
	steve@ibctech.ca0�"0
	*�H��
�0�
���D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC�����^K6X��V4��j<t���-0+0U0�steve@ibctech.ca0U�00
	*�H��
��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0��0�C�K9�����AbxI�U�w0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090507231610Z
100507231610Z0B10UThawte Freemail Member10	*�H��
	steve@ibctech.ca0�"0
	*�H��
�0�
���D��Z�杙�<��2�Iⵀ�f�r�sE�6�����q?�0.>
S@Œ!�V?A�\Q�
r�-�a��Z�
Ō�f/����0�{�O�YQ�hɏ�ߴ�
F��_\��Q���0�BF�=<��_.a�*�3���e�pe��Y|�t�ݼ�c�vl��ҷ+@p��i��Q�A{��2�E��9�WN�4�[�Z��`�h�6��V�M���/zPb�d�(GC�����^K6X��V4��j<t���-0+0U0�steve@ibctech.ca0U�00
	*�H��
��æ���|����85a����Qz-*3HG������		����.s��*��Fw�*����`��HvF��w;���9���ytƘ�n��0taC/�:�W�C�+�LÙ{�O��q� ��1��n0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0	+���0	*�H��
	1	*�H��
0	*�H��
	1
090918175228Z0#	*�H��
	1�-����������_A��E-0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAK9�����AbxI�U�w0
	*�H��
�
zФǗ$K��7��.�Ň�ɖ�E��%)k��&���
Ewi�pS�$M91��@8��X�d��/&�qz�{�+��#D	A�� Ԃ���K���������N<'3i��Z�Whu^�0��u*=�C�BN���k9�E���Mv���iƴ���w
0�38��2�s��V��&�.�����`�/_��xI��!�!>2]�#�'�F@��� �Z���8��5��Eچ^�	Q��B}{�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AB3C8DC.7000509>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation