Thanks for the replies!

On 2/25/07, Andrew Pantyukhin <[EMAIL PROTECTED]> wrote:
On 2/25/07, Curby <[EMAIL PROTECTED]> wrote:
If you don't forward packets, then it's not very different,
packets for "not me" are gonna get dropped anyway right
after the firewall.

Thanks!  I think I found a case where to all is preferable over to me.
Since SMB seems to like broadcasting things, I'm allowing like the
following instead of to me:

allow udp from any 137,138 to any in keep-state

I guess I could write a rule with "to me" and another with the
broadcast address of my subnet, but this is simpler. =)

There are a lot of complicated/illegal configurations
when verrevpath shoots you in the foot. Keeping rules
simple and stupid will save you a lot of headache in
the end.

I'll keep that in mind as I go forward.  I'm interested in trying to
do traffic control and NAT via hand-written configurations. =)

On 2/26/07, Nikos Vassiliadis <[EMAIL PROTECTED]> wrote:
Most ready-to-use rulesets will have such generalizations. It's not
much of a difference, you can't say they are wrong and since you know
exactly what you want to achieve, it's up to you to change them to
fit perfectly your situation...

Yeah, I wasn't really asking about the default/policy rule so much as
asking for opinions on "to me" vs "to all" for service-related rules,

allow tcp from any to me 22 in keep-state

As I found out, troublesome UDP protocols sometimes send to
multicast/broadcast addresses so that might be a reason for "to all".

I don't know about Mac but on FreeBSD they are redundant anyway.
The TCP/IP stack denies packets from/to 127/8 coming from a wire,
and it also denies sending packets to/from 127/8 down to a wire.

Thanks for the notes about the multicast address space.

I guess I'll just try to keep the ruleset simple and compact, then
tweak as I go.  Thanks!
_______________________________________________ mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to