From owner-freebsd-questions Tue Jan 22 21:50:32 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail8.mgfairfax.rr.com (fe8.southeast.rr.com [24.93.67.55]) by hub.freebsd.org (Postfix) with ESMTP id 9FFA837B416 for ; Tue, 22 Jan 2002 21:50:22 -0800 (PST) Received: from there ([24.163.113.25]) by mail8.mgfairfax.rr.com with Microsoft SMTPSVC(5.5.1877.687.68); Tue, 22 Jan 2002 22:52:50 -0500 Content-Type: text/plain; charset="iso-8859-1" From: Ray Kohler To: m p , Scott Nolde Subject: Re: Some questions about ipfw Date: Tue, 22 Jan 2002 22:56:05 -0500 X-Mailer: KMail [version 1.3.2] Cc: freebsd-questions@FreeBSD.ORG References: <20020123025215.95139.qmail@web13303.mail.yahoo.com> In-Reply-To: <20020123025215.95139.qmail@web13303.mail.yahoo.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: <053275052031712FE8@mail8.mgfairfax.rr.com> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tuesday 22 January 2002 09:52 pm, m p wrote: > Scott Nolde wrote: > > This is a normal response after instituting the rules you've > > set forth. > > I can not see why the packets should be denied. IF there were > other packets send back to him he should see them too denied in > the logs. But he is not seeing them. > > "setup" and "established" can be bypassed with hand crafted > packets which have the SYN and ACK bit set. That is the behaviour > for any stateless firewall. With "keep-state" only packets are > allowed that matches a rule created by his machine at connection > start time. > > It is considered "more secure" to use "keep-state" _correctly_. > > For testing can you, Ray, please test some rules with "setup" and > "established" _only_ to see if it helps to use "setup" and > established ? > > Your ruleset looks okay for me. Doing the TCP with "established" and "setup" rules seems to improve behavior, but then I'm beginning to think that there was network trouble upstream at that point anyway and that's why things were showing up so late. I'm considering just going back to IPF at this point; I had it working before and it just seems a little "smarter" than IPFW. -- Ray Kohler Schnuffel, n.: A dog's practice of continuously nuzzling in your crotch in mixed company. -- Rich Hall, "Sniglets" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message