I recently added these when redeveloping a client''s firewall.
They are:
* Dan''s Guardian proxy (with additional rule for delayed reply
packets)
* NTP bi-directional (for peers)
* IPP broadcasts (from CUPS print servers)
* multicast DNS broadcasts (bi-directional)
* RIP broadcasts (bi-directional)
If you don''t feel any of these are worthwhile, feel free to dump them.
:-)
Paul
------------------------------------------------------------------------------
Paul Gear wrote:> I recently added these when redeveloping a client''s firewall.And as usual, i forgot the attachment... ------------------------------------------------------------------------------
Paul Gear wrote:> Paul Gear wrote: >> I recently added these when redeveloping a client''s firewall. > And as usual, i forgot the attachment...I vote against macro.DG webcache 8080/tcp # WWW caching service webcache 8080/udp # WWW caching service it should be macro.Webcache, that''s what port is registered for. -- Tuomo Soini <tis@foobar.fi> Foobar Linux services +358 40 5240030 Foobar Oy <http://foobar.fi/> ------------------------------------------------------------------------------
Tuomo Soini wrote:> Paul Gear wrote: > >> Paul Gear wrote: >> >>> I recently added these when redeveloping a client''s firewall. >>> >> And as usual, i forgot the attachment... >> > > I vote against macro.DG > > webcache 8080/tcp # WWW caching service > webcache 8080/udp # WWW caching service > > it should be macro.Webcache, that''s what port is registered for. >A symlink, perhaps? :-) Paul ------------------------------------------------------------------------------
Tom Eastep wrote:> ... > Also, ''late replies'' entries are not required with TCP. >Maybe i should take this one on to the users list, but i''ve found them to be required in a lot of times that they shouldn''t be, with both TCP and UDP. Connection tracking seems to just lose reference to the connection on occasion. I''ve never had the opportunity to track it down in more detail than that - if anyone can point me in the right direction, i''d be really glad to get rid of those rules. Paul ------------------------------------------------------------------------------
Paul Gear wrote:> Tom Eastep wrote: >> ... >> Also, ''late replies'' entries are not required with TCP. >> > > Maybe i should take this one on to the users list, but i''ve found them > to be required in a lot of times that they shouldn''t be, with both TCP > and UDP. Connection tracking seems to just lose reference to the > connection on occasion. I''ve never had the opportunity to track it down > in more detail than that - if anyone can point me in the right > direction, i''d be really glad to get rid of those rules.My belief is that these have been largely due to bugs in Netfilter where valid packets are incorrectly assigned the INVALID state rather than the ESTABLISHED state. As Netfilter has gotten better, this problem has gotten a lot less burdensome. I currently only have one of these rules for TCP and it is for active mode FTP. And that one is to handle PASV commands that are split between packets rather than netfilter problems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------