ipfw questions

Curby curby.public at gmail.com
Sun Feb 25 11:58:15 UTC 2007

I'm using IPFW2 on a Mac, but hopefully these questions are general
enough for this list.

First, is there any reason not to prefer "from any to any" over "from
any to me" when adding rules to allow access to local services?  Some
ipfw configurations I've found use "from any to any," which doesn't
seem bad except that it's unnecessarily general.

Also, there's a verrevpath option but Apple's default ruleset still
uses the following:

deny log ip from to any in
deny log ip from any to in
deny log ip from to any in
deny log tcp from any to in

Is it correct that verrevpath should make these redundant/obsolete?
It'd be nice to have one rule instead of 4, but I'm wondering why
Apple isn't using its own supported features.  Thanks!

More information about the freebsd-questions mailing list