From owner-freebsd-questions Tue Apr 2 10:52:21 2002 Delivered-To: freebsd-questions@freebsd.org Received: from blueyonder.co.uk (pcow034o.blueyonder.co.uk [195.188.53.122]) by hub.freebsd.org (Postfix) with ESMTP id B5E2937B405 for ; Tue, 2 Apr 2002 10:52:14 -0800 (PST) Received: from pcow034o.blueyonder.co.uk ([127.0.0.1]) by blueyonder.co.uk with Microsoft SMTPSVC(5.5.1877.757.75); Tue, 2 Apr 2002 19:52:14 +0100 Received: from gdmckee.local (unverified [62.30.209.30]) by pcow034o.blueyonder.co.uk (Content Technologies SMTPRS 4.2.9) with ESMTP id for ; Tue, 2 Apr 2002 19:52:13 +0100 Received: from [192.168.0.200] (helo=p1000) by gdmckee.local with smtp (Exim 3.35 #1) id 16sTNx-000O7M-00 for freebsd-questions@freebsd.org; Tue, 02 Apr 2002 19:52:01 +0100 Message-ID: <00d901c1da77$8df4d240$c800a8c0@p1000> From: "G D McKee" To: "Freebsd-Questions@Freebsd. Org (E-mail)" Subject: Advice on IPFW Based Firewalls Date: Tue, 2 Apr 2002 19:52:35 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi I have been reading the FreeBSD Cheat Sheets and have noticed that the firewall script differs from the way the ipfw man page says to do it. I am referring to the section on statefull filtering. The demo file at http://people.freebsd.org/~keramida/files/ipfw.rules seems to do it the correct way - it there is such away? Is the old way wrong or is there a good reason for doing it the old way? Also - what is a sensible limit for limiting the max source address? The following it the bit in the man page I am referring to: A first and efficient way to limit access (not using dynamic rules) is the use of the following rules: ipfw add allow tcp from any to any established ipfw add allow tcp from net1 portlist1 to net2 portlist2 setup ipfw add allow tcp from net3 portlist3 to net3 portlist3 setup ... ipfw add deny tcp from any to any The first rule will be a quick match for normal TCP packets, but it will not match the initial SYN packet, which will be matched by the setup rules only for selected source/destination pairs. All other SYN packets will be rejected by the final deny rule. In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from my-net to any setup keep-state This will let the firewall install dynamic rules only for those connec- tion which start with a regular SYN packet coming from the inside of our network. Dynamic rules are checked when encountering the first check-state or keep-state rule. A check-state rule should be usually placed near the beginning of the ruleset to minimize the amount of work scanning the ruleset. Your mileage may vary. To limit the number of connections a user can open you can use the fol- lowing type of rules: ipfw add allow tcp from my-net/24 to any setup limit src-addr 10 ipfw add allow tcp from any to me setup limit src-addr 4 Thanks in advance. Gordon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message