Re: rc.firewall

[Andreas Hauser <andy@xxxxxxxxxxxxxxx>]

dillon wrote @ Thu, 21 Oct 2004 14:23:36 -0700 (PDT):
> 
> :Hoi,
> :
> :this replaces rc.firewall so that it doesn't need to be
> :modified anymore and can be used with rc.conf variables.
> :
> :Andy
> :
> :http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch
> 
>     This looks like a very nice rewrite of rc.firewall.  Did you write it
>     yourself?  If so, can we put the DragonFly copyright on it?

Yes, of course. Updated to make that clear.
Feel free to change the expression as you like it.

>     Right off the bat I see a problem with the ICMP rules (but then again
>     the original rc.firewall code also had some issues).  There are a
>     couple of ICMP types that have to be allowed through for TCP MTU
>     discovery to work properly, you can't just turn off all ICMP.  
> 
>     e.g.  packet-too-big, echo, echo-reply, unreachable, traceroute,
>     ttl-exceeded, and parameter-problem should generally be allowed through.
>     I forget the icmp numbers for them but those are the ones that have
>     to be allowed.

updated to use the defaults of firewall(7)

>     Also, certain tcp ports have to either be allowed (even if no service
>     is running), or a reset has to be sent for connection attempts on them.
>     Well, at least one tcp port anyway, that being 'auth', port 113.
>     Otherwise auth requests made by, e.g. remote sendmails, will create
>     unnecessary delays.

We can do that by adding 113 to open ports - updated.


Andy