:Hoi, : :this replaces rc.firewall so that it doesn't need to be :modified anymore and can be used with rc.conf variables. : :Andy : :http://ftp.fortunaty.net/DragonFly/inofficial/patches/rc.firewall.patch This looks like a very nice rewrite of rc.firewall. Did you write it yourself? If so, can we put the DragonFly copyright on it? Right off the bat I see a problem with the ICMP rules (but then again the original rc.firewall code also had some issues). There are a couple of ICMP types that have to be allowed through for TCP MTU discovery to work properly, you can't just turn off all ICMP. e.g. packet-too-big, echo, echo-reply, unreachable, traceroute, ttl-exceeded, and parameter-problem should generally be allowed through. I forget the icmp numbers for them but those are the ones that have to be allowed. Also, certain tcp ports have to either be allowed (even if no service is running), or a reset has to be sent for connection attempts on them. Well, at least one tcp port anyway, that being 'auth', port 113. Otherwise auth requests made by, e.g. remote sendmails, will create unnecessary delays. 'man firewall' for the low-down. With the appropriate changes I think this patch can replace our current rc.firewall. -Matt