Thank you for your opinion about my rewrite of the handbook firewall
section. It has been turned over to the FreeBSD doc group and they
are sanitizing the English and getting it prepared for update to the

To address your opinion that the rule set may be to limiting for a
home user is covered by the following section from the document.

Firewall Rule Set Types

Constructing a software application firewall rule set may seem to be
trivial, but most people get it wrong. The most common mistake is to
create an exclusive firewall rather than an inclusive firewall.

An exclusive firewall allows all services through except for those
matching a set of rules that block certain services.

An inclusive firewall does the reverse.

It only allows services matching the rules through and blocks
everything else. This way you can control what services can
originate behind the firewall destined for the public internet and
also control which services originating from the public internet may
access your network. Inclusive firewalls are far more secure than
exclusive firewalls.


Now many home LAN environments have ms/windows boxes and that system
is the target of all the adware and spyware programs. These
unauthorized programs all most always use non-standard ports to
phone home and report on your activity. The only way to defend
against the 'report home action' is to block all outbound ports
except for those explicitly allowed by firewall rules.

Sure the ipfw firewall rule set you posted will work, but it's so
less secure then the ones contained in the document I wrote. Why
have a poorly defined firewall rule set that leaves a wide open
doorway to the public internet when just a few more rules will
result in the maximum protection possible. My document is written to
give the reader the maximum protection possible by just using the
included samples. This removes the trial and error testing the user
have to go through now using the current handbook as a guide.

New subject.
I see from your post, what looks like you have an automated way to
reformat MS/outlook top post to Unix Bottom post format.

I sure would like to know how you are doing this. I have been on
this list for 4 years and I have never seen this before. Would you
please share with me and the other readers how you do this.


-----Original Message-----
[mailto:[EMAIL PROTECTED] Behalf Of Giorgos
Sent: Saturday, July 31, 2004 6:43 PM
Subject: Re: Firewall Rule Set not allowing access to DNS servers?

[-- Message reformatted to fix Outlook format --]

On 2004-07-31 14:17, JJB <[EMAIL PROTECTED]> wrote:
>Giorgos Keramidas wrote on July 31, 2004 1:36 PM
>>On 2004-07-31 12:08, "James A. Coulter" <[EMAIL PROTECTED]
>>> My LAN is configured with static IP addresses, 192.168.1.x.
>>> I have no problems communicating within the LAN.
>>> I have full connectivity with the internet from every machine on
>>> my LAN when the firewall is open.
>>> When I use the rule set in question, I can ping and send mail
>>> I cannot access the DNS servers listed in resolv.conf.
>> There are many ways in which your ruleset might break.  Two of
>> most important comments I wanted to make when I first saw the
>> of this thread are: [...]
>> b) Why do you use so many rules that 'filter' outgoing traffic?
>> I saw smtp, pop3, time, http, https and many others.  You
>> don't need to explicitly allow outgoing connections unless
>> the users in the internal LAN are not to be trusted at all
>> and even then IPFW is most of the time not the right way to
>> do it.
> If you had read the start of the thread you would have read the
> handbook firewall section rewrite which explains in detail why the
> are rules to control access to the public internet from LAN users.

I've read a very detailed guide that you wrote, linked by one of
posts and available online at:

This guide contains a great deal of useful information and it would
cool if it was somehow incorporated to the Handbook.  It's not yet,
I like most of the text so I hope it gets converted to SGML and
added to
the Handbook either in parts or as a whole.

If by "... which explains in detail why..." you refer to this
quote from that document, I'm not sure that it is always a good idea
that's my own opinion:

    "The Outbound section in the following rule set only contains
    rules which contain selection values that uniquely identify the
    service that is authorized for public internet access."

In a corporate environment, where access to the Internet has to be
limited and/or controlled in a more or less strict manner, it looks
a great idea.

At home, where a couple of machines share a single Internet
through a dialup or DSL line, this might be a bit too limiting ;-)

- Giorgos

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to