ipfw questions

Andrew Pantyukhin infofarmer at FreeBSD.org
Sun Feb 25 12:20:52 UTC 2007

On 2/25/07, Curby <curby.public at gmail.com> wrote:
> I'm using IPFW2 on a Mac, but hopefully these questions are general
> enough for this list.

ipfw@ might be more appropriate

> First, is there any reason not to prefer "from any to any" over "from
> any to me" when adding rules to allow access to local services?  Some
> ipfw configurations I've found use "from any to any," which doesn't
> seem bad except that it's unnecessarily general.

If you don't forward packets, then it's not very different,
packets for "not me" are gonna get dropped anyway right
after the firewall.

> Also, there's a verrevpath option but Apple's default ruleset still
> uses the following:
> deny log ip from to any in
> deny log ip from any to in
> deny log ip from to any in
> deny log tcp from any to in
> Is it correct that verrevpath should make these redundant/obsolete?
> It'd be nice to have one rule instead of 4, but I'm wondering why
> Apple isn't using its own supported features.  Thanks!

There are a lot of complicated/illegal configurations
when verrevpath shoots you in the foot. Keeping rules
simple and stupid will save you a lot of headache in
the end.

More information about the freebsd-questions mailing list