Re: rc.firewall
:Hoi,
:
:this replaces rc.firewall so that it doesn't need to be
:modified anymore and can be used with rc.conf variables.
:
:Andy
:
:http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch
This looks like a very nice rewrite of rc.firewall. Did you write it
yourself? If so, can we put the DragonFly copyright on it?
Right off the bat I see a problem with the ICMP rules (but then again
the original rc.firewall code also had some issues). There are a
couple of ICMP types that have to be allowed through for TCP MTU
discovery to work properly, you can't just turn off all ICMP.
e.g. packet-too-big, echo, echo-reply, unreachable, traceroute,
ttl-exceeded, and parameter-problem should generally be allowed through.
I forget the icmp numbers for them but those are the ones that have
to be allowed.
Also, certain tcp ports have to either be allowed (even if no service
is running), or a reset has to be sent for connection attempts on them.
Well, at least one tcp port anyway, that being 'auth', port 113.
Otherwise auth requests made by, e.g. remote sendmails, will create
unnecessary delays.
'man firewall' for the low-down. With the appropriate changes I think
this patch can replace our current rc.firewall.
-Matt
討論串 (同標題文章)