Re: rc.firewall
dillon wrote @ Thu, 21 Oct 2004 14:23:36 -0700 (PDT):
>
> :Hoi,
> :
> :this replaces rc.firewall so that it doesn't need to be
> :modified anymore and can be used with rc.conf variables.
> :
> :Andy
> :
> :http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch
>
> This looks like a very nice rewrite of rc.firewall. Did you write it
> yourself? If so, can we put the DragonFly copyright on it?
Yes, of course. Updated to make that clear.
Feel free to change the expression as you like it.
> Right off the bat I see a problem with the ICMP rules (but then again
> the original rc.firewall code also had some issues). There are a
> couple of ICMP types that have to be allowed through for TCP MTU
> discovery to work properly, you can't just turn off all ICMP.
>
> e.g. packet-too-big, echo, echo-reply, unreachable, traceroute,
> ttl-exceeded, and parameter-problem should generally be allowed through.
> I forget the icmp numbers for them but those are the ones that have
> to be allowed.
updated to use the defaults of firewall(7)
> Also, certain tcp ports have to either be allowed (even if no service
> is running), or a reset has to be sent for connection attempts on them.
> Well, at least one tcp port anyway, that being 'auth', port 113.
> Otherwise auth requests made by, e.g. remote sendmails, will create
> unnecessary delays.
We can do that by adding 113 to open ports - updated.
Andy
討論串 (同標題文章)