HowTo easy use IPFW

Sun Feb 5 12:18:17 UTC 2012

From: Julian Elischer <julian at freebsd.org>
To: Коньков Евгений <kes-kes at yandex.ru> 
Cc: freebsd-net at freebsd.org; freebsd-questions at freebsd.org 
Sent: Sunday, February 5, 2012 2:15 AM
Subject: Re: HowTo easy use IPFW

On 2/4/12 10:53 PM, Julian Elischer wrote:
> On 2/2/12 1:33 AM, Коньков Евгений wrote:
>> this is the mine script which helps me keep my firewall very clean and safe.
>> 
>> It is easy to understand even if you have a thousands ruBTWles, I think =)
>> 
>> please comment.
>> 
>> PS. If anybody may, please put into ports tree. thank you.
> 
> it would probably be get more response if it was in a file format we had heard of.. like tar..
> 
> WTF is a ".rar"  file?
BTW the  "stuffit" expander on a Mac seems to be able to handle it..

I can see that this would allow you to manage very complex rule sets while keeping errors under control.

I find the syntax hard to follow however
I guess that comes from it being a relatively simple perl script doing the work.

it would be nice to get rid of the line numbers entirely in the specifications
and allow the program to completely specify them using symbolic definitions instead.

> 
>> 
>> _______________________________________________
>> freebsd-net at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
> 
> 

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"

*.rar files have been aroung a long time. They are created by a program call Winrar. I never understood the need for this because every since M$ started including support for zip files built right into Windows Explorer there's no need for additional compression utility. There are some studies which show Winrar is a little more efficient with it's compression but with today's 2 TB hard drive prices, disk space is not such a premium anymore. FreeBSD actually has a port for it /"usr/ports/archivers/rar". I have found that this program is mostly used by hackers on the bittorent sites who steal and distribute copyrighted software and transmit trojans and viruses so it's been my habbit to avoid rar files. If someone I trust sends it I will open it but I don't plan on opening up this guy's ipfw rule set for that very reason. The other reason is that any rule set with 1,000 lines in it has got to be over kill. The simplest advice I could offer here is this:

The only truly safe firewall ruleset consists of one rule and that is:

 deny all from any to any

If you must have Internet access, and we all do then the next simplest rule set would be:

Build your kernel to have IPFW deny all traffic by default
Allow only the ports you deem necessary for your needs
Deny all other traffic

After you've examined your log files for a few weeks, turn off logging because it's usually just a bunch or crap from IP addresses in China, Amsterdam, or maybe an odd one here and there coming from another source, trying to hack into your computer. I have found over many years that it doesn't pay anything to know about all the attempted attacks. It only pays to stop them cold and the above simple rule set will do just that.