Re: stateful ipfw

Begin <6JudnQNFC-IaOwLZnZ2dnUVZ_smdnZ2d@xxxxxxx>
On 2006-06-26, Jason Bourne <j_bourne_treadstone@xxxxxxxxxxx> wrote:
# Stop private networks (RFC1918) from entering the outside interface.

Can now be done with a table.


# Stop draft-manning-dsua-01.txt nets on the outside interface

That's pretty old. It's RFC3330 now. :-)
Also table-fodder, altough I use some trickery to allow traffic with a
multicast destination, but not if it has a multicast source address.


$fwcmd add allow log icmp from any to any icmptypes 8 out xmit ppp0
$fwcmd add allow log icmp from any to any icmptypes 0 in recv ppp0

I personally don't mind if ping works the other way around too. I'm
not that paranoid, and it does come in useful now and then.


$fwcmd add allow log icmp from any to any icmptypes 11 in recv ppp0

No point in not sending them, either. Destination unreachable[1] and
header bad are also useful messages to allow through.


$fwcmd add 65432 deny log tcp from any to any
$fwcmd add 65433 deny log udp from any to any

I have it generate apropriate errors (within reason) for these, except
for a couple[2] that I drop much earlier on. Personally I much prefer
the network to work properly while I have full control as to what the
outside world can possibly see of me, than that I go hide in a corner
and break all the available methods to debug problems, just because I
must have a firewall. You could label this ``hiding in plain sight''.


[1] Allowing Path MTU discovery to work is useful.
[2] You know which ones.

--
j p d (at) d s b (dot) t u d e l f t (dot) n l .
This message was originally posted on Usenet in plain text.
Any other representation, additions, or changes do not have my
consent and may be a violation of international copyright law.
.