Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Apr 2003 19:03:54 +0200
From:      Antoine Jacoutot <ajacoutot@lphp.org>
To:        "" <freebsd@code-space.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <1051722234.3eb001fabde38@webmail.lphp.org>
In-Reply-To: <000401c30f39$136f0020$0501a8c0@neptune>
References:  <000401c30f39$136f0020$0501a8c0@neptune>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Selon C_Ahlers <freebsd@code-space.com>: 
> I realize that the following info is not exactly what you have been 
> looking for - but it is in the spirit of building that perfect 
> firewall... 
 
:-)) 
 
> I would just like to point out that rules 200 and 300 that deal with 
> traffic to and from 127.0.0.0/8 are NOT necessary. 
> The reason for this is simple: FreeBSD doesn't allow that traffic, 
> regardless of the presence of a firewall or not. 
> If you take a look at some source code, specifically: 
> \src\sys\netinet\ip_input.c  (~ line 357) 
> \src\sys\netinet\ip_output.c (~ line 807) 
> you will see code like the following: 
[...] 
> The packets are simply dropped... 
> So this means you have 2 less rules to worry about that just clutter 
> your ruleset. 
 
Great advice, thanks. 
So you think setting: 
net.inet.ip.fw.dyn_syn_lifetime=300 
net.inet.ip.fw.dyn_ack_lifetime=300 
 
is OK, right ? 
 
Thanks a lot for all the help ! 
 
--  
Antoine Jacoutot  
ajacoutot@lphp.org  
http://www.lphp.org  
"Unix is user friendly... It's just selective about who his friends are..."  



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?1051722234.3eb001fabde38>