rc.firewall

Matthew Dillon dillon at apollo.backplane.com
Thu Oct 21 14:23:43 PDT 2004


:Hoi,
:
:this replaces rc.firewall so that it doesn't need to be
:modified anymore and can be used with rc.conf variables.
:
:Andy
:
:http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch

    This looks like a very nice rewrite of rc.firewall.  Did you write it
    yourself?  If so, can we put the DragonFly copyright on it?

    Right off the bat I see a problem with the ICMP rules (but then again
    the original rc.firewall code also had some issues).  There are a
    couple of ICMP types that have to be allowed through for TCP MTU
    discovery to work properly, you can't just turn off all ICMP.  

    e.g.  packet-too-big, echo, echo-reply, unreachable, traceroute,
    ttl-exceeded, and parameter-problem should generally be allowed through.
    I forget the icmp numbers for them but those are the ones that have
    to be allowed.

    Also, certain tcp ports have to either be allowed (even if no service
    is running), or a reset has to be sent for connection attempts on them.
    Well, at least one tcp port anyway, that being 'auth', port 113.
    Otherwise auth requests made by, e.g. remote sendmails, will create
    unnecessary delays.

    'man firewall' for the low-down.  With the appropriate changes I think
    this patch can replace our current rc.firewall.

						-Matt





More information about the Submit mailing list