From owner-freebsd-security Fri Aug 10 14: 3:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from jdl.com (chrome.jdl.com [209.39.144.2]) by hub.freebsd.org (Postfix) with ESMTP id B046537B406 for ; Fri, 10 Aug 2001 14:03:53 -0700 (PDT) (envelope-from jdl@jdl.com) Received: from localhost ([127.0.0.1] helo=jdl.com) by jdl.com with esmtp (Exim 3.32 #1) id 15VJWU-000J6t-00; Fri, 10 Aug 2001 16:08:50 -0500 To: Krzysztof Zaraska Cc: security@FreeBSD.ORG Subject: Re: IPFW Dynamic Rules In-reply-to: Your message of "Fri, 10 Aug 2001 14:23:56 +0200." Clarity-Index: null Threat-Level: none Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code. Net-thought: If you meet the Buddha on the net, put him in your Kill file. Date: Fri, 10 Aug 2001 16:08:48 -0500 From: Jon Loeliger Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, like Krzysztof Zaraska was saying to me just the other day: > > [ ... ] > > Generally I construct firewall rules like this: > 1. deny everything > 2. allow all connections from inside to outside world. TEST. > 3. allow the outside world to connect to selected services. TEST. > 4. TEST. Specifically check if no unwanted connections may be initiated > from outside. Krzysztof, This was one of the most enlightening and helpful explanations of IPFW and packet filtering I've read anywhere! Thanks for the insight and help! jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message