On 2/25/07, Curby <[EMAIL PROTECTED]> wrote:
I'm using IPFW2 on a Mac, but hopefully these questions are general enough for this list.
ipfw@ might be more appropriate
First, is there any reason not to prefer "from any to any" over "from any to me" when adding rules to allow access to local services? Some ipfw configurations I've found use "from any to any," which doesn't seem bad except that it's unnecessarily general.
If you don't forward packets, then it's not very different, packets for "not me" are gonna get dropped anyway right after the firewall.
Also, there's a verrevpath option but Apple's default ruleset still uses the following: deny log ip from 127.0.0.0/8 to any in deny log ip from any to 127.0.0.0/8 in deny log ip from 184.108.40.206/3 to any in deny log tcp from any to 220.127.116.11/3 in Is it correct that verrevpath should make these redundant/obsolete? It'd be nice to have one rule instead of 4, but I'm wondering why Apple isn't using its own supported features. Thanks!
There are a lot of complicated/illegal configurations when verrevpath shoots you in the foot. Keeping rules simple and stupid will save you a lot of headache in the end. _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"