On 2/25/07, Curby <[EMAIL PROTECTED]> wrote:
I'm using IPFW2 on a Mac, but hopefully these questions are general
enough for this list.

ipfw@ might be more appropriate

First, is there any reason not to prefer "from any to any" over "from
any to me" when adding rules to allow access to local services?  Some
ipfw configurations I've found use "from any to any," which doesn't
seem bad except that it's unnecessarily general.

If you don't forward packets, then it's not very different,
packets for "not me" are gonna get dropped anyway right
after the firewall.

Also, there's a verrevpath option but Apple's default ruleset still
uses the following:

deny log ip from 127.0.0.0/8 to any in
deny log ip from any to 127.0.0.0/8 in
deny log ip from 224.0.0.0/3 to any in
deny log tcp from any to 224.0.0.0/3 in

Is it correct that verrevpath should make these redundant/obsolete?
It'd be nice to have one rule instead of 4, but I'm wondering why
Apple isn't using its own supported features.  Thanks!

There are a lot of complicated/illegal configurations
when verrevpath shoots you in the foot. Keeping rules
simple and stupid will save you a lot of headache in
the end.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to