ipfw questions

[Andrew Pantyukhin]

On 2/25/07, Curby <curby.public at gmail.com> wrote:
> I'm using IPFW2 on a Mac, but hopefully these questions are general
> enough for this list.

ipfw@ might be more appropriate

> First, is there any reason not to prefer "from any to any" over "from
> any to me" when adding rules to allow access to local services?  Some
> ipfw configurations I've found use "from any to any," which doesn't
> seem bad except that it's unnecessarily general.

If you don't forward packets, then it's not very different,
packets for "not me" are gonna get dropped anyway right
after the firewall.

> Also, there's a verrevpath option but Apple's default ruleset still
> uses the following:
>
> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in
> deny log ip from 224.0.0.0/3 to any in
> deny log tcp from any to 224.0.0.0/3 in
>
> Is it correct that verrevpath should make these redundant/obsolete?
> It'd be nice to have one rule instead of 4, but I'm wondering why
> Apple isn't using its own supported features.  Thanks!

There are a lot of complicated/illegal configurations
when verrevpath shoots you in the foot. Keeping rules
simple and stupid will save you a lot of headache in
the end.