curby.public at gmail.com
Mon Feb 26 15:13:40 UTC 2007
Thanks for the replies!
On 2/25/07, Andrew Pantyukhin <infofarmer at freebsd.org> wrote:
> On 2/25/07, Curby <curby.public at gmail.com> wrote:
> If you don't forward packets, then it's not very different,
> packets for "not me" are gonna get dropped anyway right
> after the firewall.
Thanks! I think I found a case where to all is preferable over to me.
Since SMB seems to like broadcasting things, I'm allowing like the
following instead of to me:
allow udp from any 137,138 to any in keep-state
I guess I could write a rule with "to me" and another with the
broadcast address of my subnet, but this is simpler. =)
> There are a lot of complicated/illegal configurations
> when verrevpath shoots you in the foot. Keeping rules
> simple and stupid will save you a lot of headache in
> the end.
I'll keep that in mind as I go forward. I'm interested in trying to
do traffic control and NAT via hand-written configurations. =)
On 2/26/07, Nikos Vassiliadis <nvass at teledomenet.gr> wrote:
> Most ready-to-use rulesets will have such generalizations. It's not
> much of a difference, you can't say they are wrong and since you know
> exactly what you want to achieve, it's up to you to change them to
> fit perfectly your situation...
Yeah, I wasn't really asking about the default/policy rule so much as
asking for opinions on "to me" vs "to all" for service-related rules,
allow tcp from any to me 22 in keep-state
As I found out, troublesome UDP protocols sometimes send to
multicast/broadcast addresses so that might be a reason for "to all".
> I don't know about Mac but on FreeBSD they are redundant anyway.
> The TCP/IP stack denies packets from/to 127/8 coming from a wire,
> and it also denies sending packets to/from 127/8 down to a wire.
Thanks for the notes about the multicast address space.
I guess I'll just try to keep the ruleset simple and compact, then
tweak as I go. Thanks!
More information about the freebsd-questions