ipfw questions

[Curby]

Thanks for the replies!

On 2/25/07, Andrew Pantyukhin <infofarmer at freebsd.org> wrote:
> On 2/25/07, Curby <curby.public at gmail.com> wrote:
> If you don't forward packets, then it's not very different,
> packets for "not me" are gonna get dropped anyway right
> after the firewall.

Thanks!  I think I found a case where to all is preferable over to me.
 Since SMB seems to like broadcasting things, I'm allowing like the
following instead of to me:

allow udp from any 137,138 to any in keep-state

I guess I could write a rule with "to me" and another with the
broadcast address of my subnet, but this is simpler. =)

> There are a lot of complicated/illegal configurations
> when verrevpath shoots you in the foot. Keeping rules
> simple and stupid will save you a lot of headache in
> the end.

I'll keep that in mind as I go forward.  I'm interested in trying to
do traffic control and NAT via hand-written configurations. =)

On 2/26/07, Nikos Vassiliadis <nvass at teledomenet.gr> wrote:
> Most ready-to-use rulesets will have such generalizations. It's not
> much of a difference, you can't say they are wrong and since you know
> exactly what you want to achieve, it's up to you to change them to
> fit perfectly your situation...

Yeah, I wasn't really asking about the default/policy rule so much as
asking for opinions on "to me" vs "to all" for service-related rules,
like:

allow tcp from any to me 22 in keep-state

As I found out, troublesome UDP protocols sometimes send to
multicast/broadcast addresses so that might be a reason for "to all".

> I don't know about Mac but on FreeBSD they are redundant anyway.
> The TCP/IP stack denies packets from/to 127/8 coming from a wire,
> and it also denies sending packets to/from 127/8 down to a wire.

Thanks for the notes about the multicast address space.

I guess I'll just try to keep the ruleset simple and compact, then
tweak as I go.  Thanks!