[geeks] IPFilter experts?

[Mike Hebel]

Also the command "quick" is good to use in some areas for performance 
reasons.  Like if it's a web packet and you don't want to test for 
anything else on the line - a "quick" means you don't have to go through 
the rest of those rules.

Be careful though - it's easy to short-circuit a rule because of a 
"quick" match in above it.  "Only the last match counts." - but then you 
probably know that.

Mike Hebel

Kurt Huhn wrote:

> Bill Bradford  wrote:
>
>
> >Any ipfilter wizards out there?  I need assistance in changing my
> >current config from "block ports I use, and only allow outside access
> >to certain ports" to "block everything, only allow certain ports".
> >
>
>
> I'm far from an ipfilter wizard, but good firewall ruleset design goes
> something like this:
>  - allow specific ports/services to specific systems inbound
>  - allow specific ports/services to specific systems outbound
>  - deny everything else from everything to everthing
>
> so somthing like (with total disregard for ipfilter syntax):
> 1: some_external_address -> internal_address:port_num allow
> 2: some_other_external_address -> internal_address:other_port_num allow
> 3: internal_address_block -> all_outside_addresses:80 allow
> 4: specific_internal_address_your_workstation -> all_outside_addresses:22
> allow
> 5: all_external_addresses -> all_internal_addresses deny
> 6: all_internal_addresses -> all external_addresses deny
>
> Since the firewall will (should) step through the rules in order, and stop
> when a match is made, this gives you extreme control over the services you
> allow - it also raises the processing power requirement of your 
> firewall by
> a potentially significant amount.
>
> Hope that helps.