From owner-freebsd-questions@FreeBSD.ORG Wed Jun 16 05:17:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC95116A4CE for ; Wed, 16 Jun 2004 05:17:49 +0000 (GMT) Received: from frodo.otenet.gr (frodo.otenet.gr [195.170.0.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 93C8043D48 for ; Wed, 16 Jun 2004 05:17:47 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a114.otenet.gr [212.205.215.114]) by frodo.otenet.gr (8.12.10/8.12.10) with ESMTP id i5G5H8UL021816; Wed, 16 Jun 2004 08:17:09 +0300 Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i5G5H6o8021639; Wed, 16 Jun 2004 08:17:06 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i5G5H6wu021638; Wed, 16 Jun 2004 08:17:06 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 16 Jun 2004 08:17:06 +0300 From: Giorgos Keramidas To: Robert Downes Message-ID: <20040616051706.GA21586@gothmog.gr> References: <40CF53FA.7070308@lineone.net> <20040615202946.GB1116@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040615202946.GB1116@gothmog.gr> cc: freebsd-questions@freebsd.org Subject: Re: Firewall rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Jun 2004 05:17:49 -0000 On 2004-06-15 23:29, Giorgos Keramidas wrote: >On 2004-06-15 20:54, Robert Downes wrote: >> I'm obviously missing something... >> >> su-2.05b# ipfw -a list >> 00100 16 1144 divert 8668 ip from any to any in via rl0 >> 00200 17 964 divert 8668 ip from any to any out via rl0 >> 00300 0 0 check-state >> 00400 32 3296 allow ip from me to me >> 00500 21 1268 allow ip from 192.168.0.0/24 to any keep-state >> 00600 274 25875 allow ip from 192.168.1.0/24 to any keep-state >> 00700 2 96 deny log ip from any to any >> 65535 4 429 deny ip from any to any >> >> Now, having seen plenty of examples of huge lists of rules, I'm >> obviously not seeing something that is apparent to others. Replying to my own post... Someone mentioned the hit count of rule 300, check-state, and I noticed that you have keep-state rules for plain IP packets and they don't have any {in,out} specifier. I'm not sure if this is the best way to use ipfw's keep-state option. Try using keep-state for TCP packets only: add 500 allow tcp from 192.168.0.0/24 to any out setup keep-state add 501 allow tcp from 192.168.1.0/24 to any out setup keep-state Seeing that you have blocked *all* other connections, you might want to add a couple of rules to let TCP connections through for specific protocols, i.e.: add 600 allow tcp from any to any 22 in recv setup keep-state These rules will allow the initial "TCP connection setup" packets for the respective connections and add dynamic rules in ipfw's state table to let the rest of the connection through. You don't need to let anything else through. Especially *not* "established" packets, as I've seen in many rulesets. Cheers, Giorgos