From owner-freebsd-questions Tue Jan 22 18:52:23 2002 Delivered-To: freebsd-questions@freebsd.org Received: from web13303.mail.yahoo.com (web13303.mail.yahoo.com [216.136.175.39]) by hub.freebsd.org (Postfix) with SMTP id 4437037B400 for ; Tue, 22 Jan 2002 18:52:15 -0800 (PST) Message-ID: <20020123025215.95139.qmail@web13303.mail.yahoo.com> Received: from [193.174.9.34] by web13303.mail.yahoo.com via HTTP; Wed, 23 Jan 2002 03:52:15 CET Date: Wed, 23 Jan 2002 03:52:15 +0100 (CET) From: =?iso-8859-1?q?m=20p?= Subject: Re: Some questions about ipfw To: Scott Nolde , Ray Kohler Cc: freebsd-questions@FreeBSD.ORG MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Scott Nolde wrote: > > Thus sayeth the previous author: > > >Date: Tue, 22 Jan 2002 19:33:06 -0500 > >From: Ray Kohler > >To: freebsd-questions@FreeBSD.ORG > >Subject: Some questions about ipfw (snip) > > > >(No, I'm not using rc.firewall and not running natd.) I > >intend to let anything out and nothing in that isn't part > >of an established connection (and of course the ICMP type 3 packets). > > Perhaps you should use rc.firewall. firewall_type="CLIENT" is a good > start. Yes, it is the recommended way to do it - but not the only one. > > >I have 3 questions: > > > >1) Why does the rc.firewall script use "setup" and "established" rules > >for tcp instead of keep-state like it does for udp? > > Setup will allow the SYN packet through and established lets the rest of > the session's packets through. "setup" and "establish" can NOT do it for UDP! UDP is "stateless" that means there is nothing like SYN and ACK. > > >2) Are these tules sufficient for my purpose? > > You have essentially allowd your computer to send, but not receive. That is not correct. keep-state creates for every session started by his machine a dynamic rule which is checked either by the first "check-state" or by the first "keep-state" in his ruleset. > > >3) I'm having trouble fetching ports even with > >FETCH_CMD= fetch -p set in make.conf. Eventually I get the file, > >but not until after a lot of servers are tried. In my logs I see a lot of: > > (snip) > > This is a normal response after instituting the rules you've set forth. > I can not see why the packets should be denied. IF there were other packets send back to him he should see them too denied in the logs. But he is not seeing them. "setup" and "established" can be bypassed with hand crafted packets which have the SYN and ACK bit set. That is the behaviour for any stateless firewall. With "keep-state" only packets are allowed that matches a rule created by his machine at connection start time. It is considered "more secure" to use "keep-state" _correctly_. For testing can you, Ray, please test some rules with "setup" and "established" _only_ to see if it helps to use "setup" and established ? Your ruleset looks okay for me. Hope that helps Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Ihre E-Mail noch individueller? - http://domains.yahoo.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message