26.6 IPFW: Couple things

[Giorgos Keramidas]

On 2006-04-14 04:42, Brett Proctor <brettproctor at gmail.com> wrote:
> First off, let me say thank you to whoever is responsible for writing
> all this. Really helpfull stuff. I implemented the NAT-ed statefull
> ruleset (the last example) and found a bug I believe. The offending
> line:
> # Allow out access to my ISP's Domain name server.
> # x.x.x.x must be the IP address of your ISP's DNS
> # Dup these lines if your ISP has more than one DNS server
> # Get the IP addresses from /etc/resolv.conf file
> $cmd 020 $skip tcp from any to x.x.x.x 53 out via $pif setup keep-state
> the TCP part should be UDP I believe. In some previous sections it
> seemed it listed both TCP and UDP rules for DNS, but I believe that
> DNS only uses TCP.

No, DNS uses both UDP and TCP, if necessary.

> Also, is this a bit logically inconsistent? (Very last line)
> # This is skipto location for outbound stateful rules
> $cmd 800 divert natd ip from any to any out via $pif
> $cmd 801 allow ip from any to any
>
> # Everything else is denied by default
> # deny and log all packets that fell through to see what they are
> $cmd 999 deny log all from any to any
>
> Isn't it impossible for anything to get past rule 801? Doesn't it
> essentially make it a default allow-all policy? If i'm not mistaken
> shouldn't rule 999 be moved and changed to 799?

Rule 801 should be removed, if you want to make this a deny-by-default
firewall.

This is an old post, but I only now found the time to read it in detail.
I'll check the current version of the Handbook "Firewall" chapter and
let you know if these comments still apply.

Thanks for the willingless to help us improving the docs :)

- Giorgos