On 15:49, Tue 08 Apr 08, Stuart Henderson wrote:
> On 2008/04/08 14:47, Ian Chard wrote:
> >>
> >> Hmm, it looks like IP-in-IP packets are blocked by default. See
> >> sysctl(3) about net.inet.ipip.allow.
>
> That's only to the local host; PF normally forwards them unless you do
> a default block (then you need to list the wanted protocols explicitly
> e.g. "pass on iface proto {tcp,udp,icmp,gre,igmp,whatever}")
Isn't this the base setup for a firewall ?
There's not a single setup I manage where the default is not a block.
And I'm talking Linux,OpenBSD,Cisco here.
I think the default block is the base of a good firewall.
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD
"Why is it drug addicts and computer aficionados are both called users?"
