"Louis A. Mamakos" wrote:
> EGP hasn't been in wide use for probably 7 or 8 years now.
> I think the real problem with this dynamic link issue and keeping the
> connection up is that the default policy is wrong.  You ought to
> specify what sort of traffic is "important" and should cause a
> dynamic link to be established (and kept up), rather than trying
> to exclude things.
> For example, you'd probably not want to have NTP establish or keep
> your link up; perhaps not DNS, either.  Probabably you'd want
> TCP/SSH or TCP/HTTPD though.

Most SSH and HTTP traffic is preceeded by a DNS lookup; if you don't allow 
the DNS traffic, the SSH or HTTP traffic will never occur.  Trying to 
predict how these things happen is a non-obvious exercise that requires
careful study or you will break things horribly.  We tune our default
firewall configuration by practicing on our real, live internet connection
at work, just to make sure we're not cutting off our customers heads.  It
can be quite irritating at times, but fits with the "eat your own dog food"

           Where am I, and what am I doing in this handbasket?

Wes Peters                                                     [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to