On Sunday 25 February 2007 13:33, Curby wrote: > I'm using IPFW2 on a Mac, but hopefully these questions are general > enough for this list. > > First, is there any reason not to prefer "from any to any" over "from > any to me" when adding rules to allow access to local services? Some > ipfw configurations I've found use "from any to any," which doesn't > seem bad except that it's unnecessarily general. >
Firewalls also protect networks and not just single computers. These rules are quite generic. A "deny ip from any to any" would be a good default for a firewall and so it is by default: from ipfw man: An ipfw ruleset always includes a default rule (numbered 65535) which cannot be modified or deleted, and matches all packets. The action asso- ciated with the default rule can be either deny or allow depending on how the kernel is configured. Most ready-to-use rulesets will have such generalizations. It's not much of a difference, you can't say they are wrong and since you know exactly what you want to achieve, it's up to you to change them to fit perfectly your situation... > Also, there's a verrevpath option but Apple's default ruleset still > uses the following: > > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in > deny log ip from 126.96.36.199/3 to any in > deny log tcp from any to 188.8.131.52/3 in > > Is it correct that verrevpath should make these redundant/obsolete? > deny log ip from 127.0.0.0/8 to any in > deny log ip from any to 127.0.0.0/8 in I don't know about Mac but on FreeBSD they are redundant anyway. The TCP/IP stack denies packets from/to 127/8 coming from a wire, and it also denies sending packets to/from 127/8 down to a wire. > deny log ip from 184.108.40.206/3 to any in A 224/4 source address is just not valid. The rest (240/4) is reserved for future use. > deny log tcp from any to 220.127.116.11/3 in Also, it's not possible to multicast TCP(224/4). Since 240/4 is reserved for future I would say they are invalid too. So, these rules protect weak TCP/IP stacks. They are filtering what is already invalid. > It'd be nice to have one rule instead of 4, but I'm wondering why > Apple isn't using its own supported features. Thanks! I would feel safe without such firewall rules on a personal FreeBSD box. Also if you don't feel safe, remember that ipfw comes with a "deny ip from any to any" rule by default. HTH, Nikos _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"