Date: Sun, 25 Feb 2007 15:20:49 +0300 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: Curby <curby.public@gmail.com> Cc: questions@freebsd.org Subject: Re: ipfw questions Message-ID: <cb5206420702250420h1e3bcf5yc695f4db3e9a89@mail.gmail.com> In-Reply-To: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com> References: <5d2f37910702250333u282334f4s2865ad3b50ef4042@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/25/07, Curby <curby.public@gmail.com> wrote: > I'm using IPFW2 on a Mac, but hopefully these questions are general > enough for this list. ipfw@ might be more appropriate > First, is there any reason not to prefer "from any to any" over "from > any to me" when adding rules to allow access to local services? Some > ipfw configurations I've found use "from any to any," which doesn't > seem bad except that it's unnecessarily general. If you don't forward packets, then it's not very different, packets for "not me" are gonna get dropped anyway right after the firewall. > Also, there's a verrevpath option but Apple's default ruleset still > uses the following: > > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in > deny log ip from 224.0.0.0/3 to any in > deny log tcp from any to 224.0.0.0/3 in > > Is it correct that verrevpath should make these redundant/obsolete? > It'd be nice to have one rule instead of 4, but I'm wondering why > Apple isn't using its own supported features. Thanks! There are a lot of complicated/illegal configurations when verrevpath shoots you in the foot. Keeping rules simple and stupid will save you a lot of headache in the end.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420702250420h1e3bcf5yc695f4db3e9a89>