[-- Message reformatted to fix Outlook format --]

On 2004-07-31 14:17, JJB <[EMAIL PROTECTED]> wrote:
>Giorgos Keramidas wrote on July 31, 2004 1:36 PM
>>On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED] wrote:
>>> My LAN is configured with static IP addresses, 192.168.1.x.
>>>
>>> I have no problems communicating within the LAN.
>>>
>>> I have full connectivity with the internet from every machine on
>>> my LAN when the firewall is open.
>>>
>>> When I use the rule set in question, I can ping and send mail but
>>> I cannot access the DNS servers listed in resolv.conf.
>>
>> There are many ways in which your ruleset might break.  Two of the
>> most important comments I wanted to make when I first saw the posts
>> of this thread are: [...]
>>
>> b) Why do you use so many rules that 'filter' outgoing traffic?
>>
>> I saw smtp, pop3, time, http, https and many others.  You
>> don't need to explicitly allow outgoing connections unless
>> the users in the internal LAN are not to be trusted at all
>> and even then IPFW is most of the time not the right way to
>> do it.
>
> If you had read the start of the thread you would have read the new
> handbook firewall section rewrite which explains in detail why there
> are rules to control access to the public internet from LAN users.

I've read a very detailed guide that you wrote, linked by one of your
posts and available online at:

http://freebsd.a1poweruser.com:6088/FBSD_firewall/

This guide contains a great deal of useful information and it would be
cool if it was somehow incorporated to the Handbook.  It's not yet, but
I like most of the text so I hope it gets converted to SGML and added to
the Handbook either in parts or as a whole.

If by "... which explains in detail why..." you refer to this particular
quote from that document, I'm not sure that it is always a good idea but
that's my own opinion:

    "The Outbound section in the following rule set only contains `pass'
    rules which contain selection values that uniquely identify the
    service that is authorized for public internet access."

In a corporate environment, where access to the Internet has to be
limited and/or controlled in a more or less strict manner, it looks like
a great idea.

At home, where a couple of machines share a single Internet connection
through a dialup or DSL line, this might be a bit too limiting ;-)

- Giorgos

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to