Freeco wrote: > Ok, thanks for advice about switch. You really helped me so much. Now i'll > get with my ipf and nat rules.
I'm glad I could help. So many people here and on other lists have helped me significantly over the years, so I try to give back whenever I can/have time. > What ports u recomend to keep open and how to block gateway ping? About the ports....that depends on what you are going to do. My theory is, unless you are an Internet Provider, all ports should be closed by default, and opened on an as-is needed basis. Generally, there isn't very much that will break if you block everything coming into the ISP side of your gateway (so long as you are using the firewall as a 'stateful' firewall). On the other hand, having the idea that "wide open and block certain things" leads to accidentally leaving things like SSH on your gateway accessible. As for the ping. I am generally dead against blocking any type of ICMP. I've spent countless nights trying to troubleshoot wide-scale Internet reachability problems because someone out there decided that blocking ICMP was the same as blocking ping. This goes against my above 'deny everything', but it's my only exception. Those who have ever had to deal with pmtud issues when it's least expected know exactly what I mean. Issues caused by careless filtering of ICMP can have the same effect to a home user as it does to an ISP, but the home user will likely have a much harder time figuring out what is wrong :) For instance, most will do the following: # ipfw add 100 deny icmp from any to any in You just broke Path MTU Discovery, lost the ability to learn when a remote port/host is unreachable, and our tests earlier would have failed as well. If your firewall is clamped down, there is no real good reason to block ping requests IMHO. If you don't want others on the WAN side to be able to ping you, block ICMP Type 8 messages inbound only. In IPFW, it would look like this: # ipfw add 10 deny icmp from any to me in via $ext_if icmptypes 8 # ipfw add 15 allow icmp from any to any ...but my personal recommendation is to not do it. Even for the simple fact that if you ever have to call your ISP for support, pinging is one of the most basic and helpful utilities available. Again, IMHO. Cheers, Steve
Description: S/MIME Cryptographic Signature