Date: Wed, 30 Apr 2003 19:03:54 +0200 From: Antoine Jacoutot <ajacoutot@lphp.org> To: "" <freebsd@code-space.com> Cc: freebsd-ipfw@freebsd.org Subject: RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation Message-ID: <1051722234.3eb001fabde38@webmail.lphp.org> In-Reply-To: <000401c30f39$136f0020$0501a8c0@neptune> References: <000401c30f39$136f0020$0501a8c0@neptune>
next in thread | previous in thread | raw e-mail | index | archive | help
Selon C_Ahlers <freebsd@code-space.com>: > I realize that the following info is not exactly what you have been > looking for - but it is in the spirit of building that perfect > firewall... :-)) > I would just like to point out that rules 200 and 300 that deal with > traffic to and from 127.0.0.0/8 are NOT necessary. > The reason for this is simple: FreeBSD doesn't allow that traffic, > regardless of the presence of a firewall or not. > If you take a look at some source code, specifically: > \src\sys\netinet\ip_input.c (~ line 357) > \src\sys\netinet\ip_output.c (~ line 807) > you will see code like the following: [...] > The packets are simply dropped... > So this means you have 2 less rules to worry about that just clutter > your ruleset. Great advice, thanks. So you think setting: net.inet.ip.fw.dyn_syn_lifetime=300 net.inet.ip.fw.dyn_ack_lifetime=300 is OK, right ? Thanks a lot for all the help ! -- Antoine Jacoutot ajacoutot@lphp.org http://www.lphp.org "Unix is user friendly... It's just selective about who his friends are..."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1051722234.3eb001fabde38>