Date: Wed, 16 Jun 2004 08:17:06 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Robert Downes <nullentropy@lineone.net> Cc: freebsd-questions@freebsd.org Subject: Re: Firewall rules Message-ID: <20040616051706.GA21586@gothmog.gr> In-Reply-To: <20040615202946.GB1116@gothmog.gr> References: <40CF53FA.7070308@lineone.net> <20040615202946.GB1116@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2004-06-15 23:29, Giorgos Keramidas <keramida@ceid.upatras.gr> wrote:
>On 2004-06-15 20:54, Robert Downes <nullentropy@lineone.net> wrote:
>> I'm obviously missing something...
>>
>> su-2.05b# ipfw -a list
>> 00100 16 1144 divert 8668 ip from any to any in via rl0
>> 00200 17 964 divert 8668 ip from any to any out via rl0
>> 00300 0 0 check-state
>> 00400 32 3296 allow ip from me to me
>> 00500 21 1268 allow ip from 192.168.0.0/24 to any keep-state
>> 00600 274 25875 allow ip from 192.168.1.0/24 to any keep-state
>> 00700 2 96 deny log ip from any to any
>> 65535 4 429 deny ip from any to any
>>
>> Now, having seen plenty of examples of huge lists of rules, I'm
>> obviously not seeing something that is apparent to others.
Replying to my own post... Someone mentioned the hit count of rule 300,
check-state, and I noticed that you have keep-state rules for plain IP
packets and they don't have any {in,out} specifier.
I'm not sure if this is the best way to use ipfw's keep-state option.
Try using keep-state for TCP packets only:
add 500 allow tcp from 192.168.0.0/24 to any out setup keep-state
add 501 allow tcp from 192.168.1.0/24 to any out setup keep-state
Seeing that you have blocked *all* other connections, you might want to
add a couple of rules to let TCP connections through for specific
protocols, i.e.:
add 600 allow tcp from any to any 22 in recv setup keep-state
These rules will allow the initial "TCP connection setup" packets for
the respective connections and add dynamic rules in ipfw's state table
to let the rest of the connection through. You don't need to let
anything else through. Especially *not* "established" packets, as I've
seen in many rulesets.
Cheers,
Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040616051706.GA21586>