From owner-freebsd-questions@FreeBSD.ORG Sun Feb 25 12:20:52 2007 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 5988016A401 for ; Sun, 25 Feb 2007 12:20:52 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.235]) by mx1.freebsd.org (Postfix) with ESMTP id A0E3413C4B5 for ; Sun, 25 Feb 2007 12:20:51 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: by wr-out-0506.google.com with SMTP id 69so1045411wra for ; Sun, 25 Feb 2007 04:20:50 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=hKksXYtQEN6WheUEDbHtlcgdKwF+GNjMjAmY10FnNoKoL8T/j6+JSNxvUBcr0Dfq99duN3fomuW3cCwxD/C3/SUnKS0bDDRMTFplk8CZpb+yGnhTRx/v3dhXEn3dWmjrGq7yEIkvhT5dgq5SYUCcSs2R1ol+lnOfUxgU3Shx7hs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=augXSDDEjDrN8YfEPHkDg+NcmEWKjB8iOVl5CG4xdzWAVwueAhTntK6f/L3XAcQlOS/PgoPkq/GePPX9yz7I45d25jK2YaYfzriO6kALxLEVPv8wT3m+J4XxqKxVJMZarlMS8k5ETPr9gKxn/52DStSSNvBp47OHbkogHuMCZOQ= Received: by 10.114.185.8 with SMTP id i8mr1745114waf.1172406049199; Sun, 25 Feb 2007 04:20:49 -0800 (PST) Received: by 10.114.201.2 with HTTP; Sun, 25 Feb 2007 04:20:49 -0800 (PST) Message-ID: Date: Sun, 25 Feb 2007 15:20:49 +0300 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: Curby In-Reply-To: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> X-Google-Sender-Auth: e5993464392dd533 Cc: questions@freebsd.org Subject: Re: ipfw questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Feb 2007 12:20:52 -0000 On 2/25/07, Curby wrote: > I'm using IPFW2 on a Mac, but hopefully these questions are general > enough for this list. ipfw@ might be more appropriate > First, is there any reason not to prefer "from any to any" over "from > any to me" when adding rules to allow access to local services? Some > ipfw configurations I've found use "from any to any," which doesn't > seem bad except that it's unnecessarily general. If you don't forward packets, then it's not very different, packets for "not me" are gonna get dropped anyway right after the firewall. > Also, there's a verrevpath option but Apple's default ruleset still > uses the following: > > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in > deny log ip from 224.0.0.0/3 to any in > deny log tcp from any to 224.0.0.0/3 in > > Is it correct that verrevpath should make these redundant/obsolete? > It'd be nice to have one rule instead of 4, but I'm wondering why > Apple isn't using its own supported features. Thanks! There are a lot of complicated/illegal configurations when verrevpath shoots you in the foot. Keeping rules simple and stupid will save you a lot of headache in the end.