ipfw dynamic rule timeout --> find a solution, but
needconfirmation
Antoine Jacoutot
ajacoutot at lphp.org
Wed Apr 30 10:04:02 PDT 2003
Selon C_Ahlers <freebsd at code-space.com>:
> I realize that the following info is not exactly what you have been
> looking for - but it is in the spirit of building that perfect
> firewall...
:-))
> I would just like to point out that rules 200 and 300 that deal with
> traffic to and from 127.0.0.0/8 are NOT necessary.
> The reason for this is simple: FreeBSD doesn't allow that traffic,
> regardless of the presence of a firewall or not.
> If you take a look at some source code, specifically:
> \src\sys\netinet\ip_input.c (~ line 357)
> \src\sys\netinet\ip_output.c (~ line 807)
> you will see code like the following:
[...]
> The packets are simply dropped...
> So this means you have 2 less rules to worry about that just clutter
> your ruleset.
Great advice, thanks.
So you think setting:
net.inet.ip.fw.dyn_syn_lifetime=300
net.inet.ip.fw.dyn_ack_lifetime=300
is OK, right ?
Thanks a lot for all the help !
--
Antoine Jacoutot
ajacoutot at lphp.org
http://www.lphp.org
"Unix is user friendly... It's just selective about who his friends are..."
More information about the freebsd-ipfw
mailing list