EFT.Eric Devolder <[EMAIL PROTECTED]> wrote:
>
> -p policy: what's the difference between deny & reject ?
That is answered directly in the man page. "Deny" means to drop the
packet silently. "Reject" means to send back a message to the sender,
telling them that we dropped their packet.
Basically, if you use the "deny" policy, someone trying to forward
packets through your router will see the connection just hang, and then
time out, because we never reply.
If you use the "reject" policy, the connection will abort immediately
with the message "Connection refused."
I prefer the latter behavior. A hanging connection can be caused by all
sorts of problems. A router that reports that it doesn't want to let
you through, is one less source of a hanging connection. :)
> ipfwadm -I -a accept -P tcp -W eth0 -S0.0.0.0/0 1024:65535 -D 192.169.0.1 ftp
> -> means that I accept all incoming packets, going through eth0, tcp
> only, from any address I want, in the port range of 1024:65535 and
> addressed to 192.169.0.1, port ftp ?
That's right. Of course, there are other packets that your system might
receive. Be sure you accept some of those, too. Such as, say, packets
traveling in the OTHER direction. :)
> Now, if I have several rules for let's say -O option, that may concern
> the same range of address, how is this resolved ?
I don't know. What sorts of rules did you have in mind?
Liberal use of input and output rules can either fine-tune your firewall
or make it unuseable.
> Is the first matching rule that is used , or the last, or the "closest"
> to the address range ?
The rules are always evaluated in strict order, from top to bottom. You
can examine the lists with the -L option. When you add rules to the
list, you can either add them to the top of the list (with -i) or to the
bottom (with -a). As a general rule, put the rules that match narrow,
specific conditions at the top, and rules that match general, wildcard
conditions, at the bottom. The first rule that matches the packet will
be the one that takes effect.
The default policy, however, is only used when none of the rules match.
See my other message about which rules are consulted, and how the route
table gets involved.
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
