Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 Apr 2003 19:03:54 +0200
From:      Antoine Jacoutot <>
To:        "" <>
Subject:   RE: ipfw dynamic rule timeout --> find a solution, but needconfirmation
Message-ID:  <>
In-Reply-To: <000401c30f39$136f0020$0501a8c0@neptune>
References:  <000401c30f39$136f0020$0501a8c0@neptune>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Selon C_Ahlers <>: 
> I realize that the following info is not exactly what you have been 
> looking for - but it is in the spirit of building that perfect 
> firewall... 
> I would just like to point out that rules 200 and 300 that deal with 
> traffic to and from are NOT necessary. 
> The reason for this is simple: FreeBSD doesn't allow that traffic, 
> regardless of the presence of a firewall or not. 
> If you take a look at some source code, specifically: 
> \src\sys\netinet\ip_input.c  (~ line 357) 
> \src\sys\netinet\ip_output.c (~ line 807) 
> you will see code like the following: 
> The packets are simply dropped... 
> So this means you have 2 less rules to worry about that just clutter 
> your ruleset. 
Great advice, thanks. 
So you think setting: 
is OK, right ? 
Thanks a lot for all the help ! 
Antoine Jacoutot  
"Unix is user friendly... It's just selective about who his friends are..."  

Want to link to this message? Use this URL: <>