On 12/12/05, Graham Menhennitt <[EMAIL PROTECTED]> wrote: > I got the following output from "ipfw show" in my daily security run output > email. > > +++ /tmp/security.yri47lgA Mon Dec 12 03:01:45 2005 > +00522 3530 1204158 deny ip from 10.0.0.0/8 to any via sis1 > +02522 18 784 deny tcp from any to any in via sis1 setup > +65530 0 0 deny ip from any to any > +65535 2 688 deny ip from any to any > > Could somebody please explain to me how those packets got past rule 65530 to > be stopped by (the identical) rule 65535? The ipfw rules have not changed > since the machine rebooted. The only explanation I have is that the packets > arrived between the time when the machine started accepting incoming packets > and when the rules were loaded in /etc/rc.d/ipfw. > > If that's the case, it's a pretty good argument for defaulting to rejecting > packets. Didn't somebody here suggest that this wasn't really necessary a few > weeks ago (something to do with using pf)? > This is exactly what compiling your kernel with IPFIREWALL does, it defaults to denying packets by default. You can change this behavior by adding IPFIREWALL_DEFAULT_TO_ACCEPT but is strongly discouraged.
See sys/conf/NOTES ( http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/NOTES?rev=1.1337&content-type=text/x-cvsweb-markup ) for pf you need to add IPFILTER_DEFAULT_BLOCK to block packets by default. Scot -- DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
