# Inside Interface (ipfw)I've only used ipfw for a little while, but there's a few things I can suggest here.
[IPFW] add 200 allow tcp from any to any out xmit via dc0 keep-state
[IPFW] add 200 allow icmp from any to any out xmit via dc0 keep-state
[IPFW] add deny ip from any to any out xmit via dc0
[IPFW] add 200 allow tcp from any to any in recv via dc0 keep-state
[IPFW] add 200 allow icmp from any to any in recv via dc0 keep-state
[IPFW] add deny ip from any to any in recv via dc0
# Loopback Interface
[IPFW] add allow ip from 127.0.0.1 to 127.0.0.1 in recv via lo0
[IPFW] add allow ip from 127.0.0.1 to 127.0.0.1 out xmit via lo0
* A good diagnostic for your rules is
ipfw list
Run this after adding a list of rules, and it shows you how they were
translated by ipfw. It also shows the default rule (number 65535)
which will be allow any or deny any, depending on your kernel options.
* You don't need to supply a number after 'add' - the ipfw command will
number them for you. I'm not sure what happens if you give different
rules the same number, but it probably isn't useful.
* Since you're allowing all out #1 and all in #4, you can combine these
rules as
add allow tcp from any to any via dc0 keep-state
with the same effect.
* Likewise with #2 and #5, they can be combined as
add allow icmp from any to any via dc0 keep-state
* Likewise with #7 and #8.
* The keep-state option allows you set up two-way traffic based on a
one-way rule. I think it's mainly designed for UDP (where there's no
established connection to allow) but it should work for ICMP as well.
However, since you're already allowing traffic both ways (in & out) it
isn't necessary in this case.
* If your default rule is deny all, you don't need #3 and #6, because it
will be denied anyway.
* If you give a hostname to ipfw, it will resolve the address when
adding the rule.
* So you should be able to do the same thing with
add allow tcp from any to any via dc0
add allow icmp from any to any via dc0
add allow ip from localhost to localhost via lo0
As I said, I've only been using ipfw for a little while so wiser heads may contradict some of this....
Best of luck :-)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
