infofarmer at FreeBSD.org
Sun Feb 25 12:20:52 UTC 2007
On 2/25/07, Curby <curby.public at gmail.com> wrote:
> I'm using IPFW2 on a Mac, but hopefully these questions are general
> enough for this list.
ipfw@ might be more appropriate
> First, is there any reason not to prefer "from any to any" over "from
> any to me" when adding rules to allow access to local services? Some
> ipfw configurations I've found use "from any to any," which doesn't
> seem bad except that it's unnecessarily general.
If you don't forward packets, then it's not very different,
packets for "not me" are gonna get dropped anyway right
after the firewall.
> Also, there's a verrevpath option but Apple's default ruleset still
> uses the following:
> deny log ip from 127.0.0.0/8 to any in
> deny log ip from any to 127.0.0.0/8 in
> deny log ip from 22.214.171.124/3 to any in
> deny log tcp from any to 126.96.36.199/3 in
> Is it correct that verrevpath should make these redundant/obsolete?
> It'd be nice to have one rule instead of 4, but I'm wondering why
> Apple isn't using its own supported features. Thanks!
There are a lot of complicated/illegal configurations
when verrevpath shoots you in the foot. Keeping rules
simple and stupid will save you a lot of headache in
More information about the freebsd-questions