From owner-freebsd-questions@FreeBSD.ORG  Thu Jul 26 14:15:24 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 0E17A16A419
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Jul 2007 14:15:24 +0000 (UTC)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219])
	by mx1.freebsd.org (Postfix) with ESMTP id D8B7913C4B6
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Jul 2007 14:15:23 +0000 (UTC)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1])
	by dc.cis.okstate.edu (8.13.8/8.13.8) with ESMTP id l6QEFNG1063819
	for <freebsd-questions@freebsd.org>;
	Thu, 26 Jul 2007 09:15:23 -0500 (CDT)
	(envelope-from martin@dc.cis.okstate.edu)
Message-Id: <200707261415.l6QEFNG1063819@dc.cis.okstate.edu>
To: freebsd-questions@freebsd.org
Date: Thu, 26 Jul 2007 09:15:23 -0500
From: Martin McCormick <martin@dc.cis.okstate.edu>
Subject: Please Help with Confusion about ipfw rules.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2007 14:15:24 -0000

	This is a situation where I thought I knew more than I
actually do. I set up a new domain name server with a
client-type firewall after having tested it first, but there is
nothing like hundreds of thousands of packets per hour to show
the weak spots.

	I made the mistake of setting up keep-state rules both
coming and going and I now see ipfw complaining frequently about
too many dynamic rules. All I am really trying to do is give
crackers a lot of nothing to look at when scanning the ports on
the system. It isn't doing any NAT or routing, etc. I am not
sure if I really need any keep-state rules. The DNS needs to be
accessible to the world and be able to talk to the world on port
53 and that is all as far as bind is concerned.

	What I am confused about is when I actually need
keep-state rules and when a simple rule like:

	${fwcmd} add pass all from any to ${ip} 53

and

	${fwcmd} add pass all from ${ip} to any 53

That theoretically should leave port 53 wide open to all types
of in-bound and out-bound traffic.

Fortunately, the new system is still working, but I am afraid we
might be dropping some packets so I need to modify the port 53
access.

	Thanks for your help.

Martin McCormick WB5AGZ  Stillwater, OK 
Systems Engineer
OSU Information Technology Department Network Operations Group