From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 16:59:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E477416A4CE for ; Fri, 17 Sep 2004 16:59:47 +0000 (GMT) Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3D1643D2F for ; Fri, 17 Sep 2004 16:59:47 +0000 (GMT) (envelope-from norm@etherealconsulting.com) Received: from etherealconsulting.com (24-155-40-125.ip.grandenetworks.net [24.155.40.125]) by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i8HGxk0A001625; Fri, 17 Sep 2004 11:59:50 -0500 Message-ID: <414B17FF.9030107@etherealconsulting.com> Date: Fri, 17 Sep 2004 11:59:43 -0500 From: Norm Vilmer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Moran References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <414AFA74.4070001@yahoo.com> <20040917114427.24aac112.wmoran@potentialtech.com> In-Reply-To: <20040917114427.24aac112.wmoran@potentialtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.27.0.10; VDF 6.27.0.66 cc: Rob cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 16:59:48 -0000 Bill Moran wrote: > Rob wrote: > > >>Norm Vilmer wrote: >> >>>Here are the rules that I have that keep-state on the outside interface: >>> >>>#For DNS >>>add 01300 pass udp from ${oip} to any 53 keep-state >>># For NTP >>>add 01400 pass udp from ${oip} to any 123 keep-state >>># For VPN >>>add 01500 pass gre from any to any keep-state >>># For ICMP >>>add 01600 pass icmp from any to any via ${oip} keep-state >>> >>>Do you think these are causing the problem? >> >>Aren't udp and icmp state-less protocols? >>In that case, keep-state would not make much sense. >> >>I use 'keep-state' only for tcp rules. >> >>I may be wrong, moreover, I haven't followed the full thread :). > > > You'll generally need to keep state on UDP when you play online games. > > If you're smart, you don't allow arbitrary UDP packets from the outside > world into your network, but if you're playing Unreal or something, then > all communication is via UDP, and you won't be able to play. > > The best solution is to allow all UDP traffic to _leave_, while keeping > state. the keep-state remembers the ip/port information on the outgoing > packets, and thus allows return packets to get back in (by matching the > ip/port pair). > > Now, when you know the port, it doesn't really make sense to use > keep-state, and all you're really doing is spamming your state tables. > > If you look in the /etc/rc.firewall that ships with FreeBSD, you'll see > these rules (designed to handle running a DNS server): > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${oip} 53 setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > > Granted, it's three rules instead of 1, but it does not use your state > tables unnecessarily (sp?) > > HTH. > I'm not sure why, but using the above rules from the supplied rc.firewall causes nslookup to fail on all my machines inside the firewall. I am sure it must have something to do with the order. Also, I am not running a DNS, so I really only need the outbound rule (I think). I changed my rule to add 01300 pass udp from ${oip} to any 53 this seems to be working. So I also removed the keep state from the ICMP and NTP rules. I had thought that you needed the keep-state rule for ICMP if you wanted trace route to work correctly, but it behaves the same regardless. add 01400 pass udp from ${oip} to any 123 add 01600 pass icmp from any to any via ${oip} I left the keep state on the gre rule, well, because, I am afraid it may cause weirdness in the VPN connection. Norm Vilmer Norm