On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier <conr...@cox.net> wrote:
> > Similarly, for udp rules, be sure to include the keep-state (but not > setup) keyword. > RIght - if you're just protecting a single host, for example, your ruleset might be something like ipfw add 1000 allow ip from any to any via lo0 ipfw add 1100 check-state ipfw add 1200 allow tcp from me to any setup keep-state ipfw add 1300 allow udp from me to any keep-state # stateful rules for ICMP sometimes work, and sometimes don't - traceroute for example ipfw add 1400 allow icmp from me to any ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11 # if you don't want to permit inbound echo requests, then use the next one instead # ipfw add 1500 allow icmp from any to me icmptypes 0,3,11 ipfw add 1600 deny ip from any to any There are sysctl variables you may want to look at: sysctl net.inet.ip.fw These are described in the man page, and some of these affect the behavior of dynamic rule sets. You generally don't need to worry about them for outbound connections, but they are critical for inbound connections - it's trivial to DOS a firewall with dynamic rules. Regards, M _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
