ipfw questions

Nikos Vassiliadis nvass at teledomenet.gr
Mon Feb 26 09:23:13 UTC 2007 

On Sunday 25 February 2007 13:33, Curby wrote:
> I'm using IPFW2 on a Mac, but hopefully these questions are general
> enough for this list.
> 
> First, is there any reason not to prefer "from any to any" over "from
> any to me" when adding rules to allow access to local services?  Some
> ipfw configurations I've found use "from any to any," which doesn't
> seem bad except that it's unnecessarily general.
> 

Firewalls also protect networks and not just single computers.
These rules are quite generic. A "deny ip from any to any"
would be a good default for a firewall and so it is by default:
from ipfw man:
     An ipfw ruleset always includes a default rule (numbered 65535) which
     cannot be modified or deleted, and matches all packets.  The action asso-
     ciated with the default rule can be either deny or allow depending on how
     the kernel is configured.

Most ready-to-use rulesets will have such generalizations. It's not
much of a difference, you can't say they are wrong and since you know
exactly what you want to achieve, it's up to you to change them to
fit perfectly your situation...

> Also, there's a verrevpath option but Apple's default ruleset still
> uses the following:
> 
> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in
> deny log ip from 224.0.0.0/3 to any in
> deny log tcp from any to 224.0.0.0/3 in
> 
> Is it correct that verrevpath should make these redundant/obsolete?

> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in

I don't know about Mac but on FreeBSD they are redundant anyway.
The TCP/IP stack denies packets from/to 127/8 coming from a wire,
and it also denies sending packets to/from 127/8 down to a wire.

> deny log ip from 224.0.0.0/3 to any in

A 224/4 source address is just not valid. The rest
(240/4) is reserved for future use.

> deny log tcp from any to 224.0.0.0/3 in

Also, it's not possible to multicast TCP(224/4). Since
240/4 is reserved for future I would say they are invalid
too.

So, these rules protect weak TCP/IP stacks. They are filtering
what is already invalid.

> It'd be nice to have one rule instead of 4, but I'm wondering why
> Apple isn't using its own supported features.  Thanks!

I would feel safe without such firewall rules on a personal FreeBSD box.
Also if you don't feel safe, remember that ipfw comes with a "deny ip
from any to any" rule by default.

HTH, Nikos

More information about the freebsd-questions mailing list