> > Try this simple ruleset:
> >
> > possible deny log tcp from any to any setup tcpoptions !mss
> >
> > ipfw add allow ip from any to any out
> > ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> > ipfw add deny log ip from any to any
>
> I'd limit these to the outside interface, for performance rules.
>
> # Whatever the interface is...
> outif="fxp0"
> ipfw add allow ip from any to any out via ${outif}
> ipfw add allow ip from any to your.c.net{x,y,z,so on...} via ${outif}
> ipfw add deny log ip from any to any via ${outif}
>
> etc...
Your above ruleset seems to be correct ... if add
some rule for outcoming traffic.
I was too fast and keep in mind only incoming traffic.
Effectivity depends on number of interfaces.
If I remember right, one external and one internal.
If such, the ruleset without interfaces defined
for allow rules is not worse then without interfaces IMHO.
> Or, you could do.
> # The internal interface is not filtered
> intif="fxp1"
> ipfw add allow all from any to any via ${inif}
>
> # Everything else only applies to the external interface
> ipfw add allow ip from any to any out
> ipfw add allow ip from any to your.c.net{x,y,z,so on...}
> ipfw add deny log ip from any to any
Agreed
> Nate
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-hackers" in the body of the message
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
