From owner-freebsd-stable Sat Jan 12 10:37:29 2002 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 9AFDD37B419 for ; Sat, 12 Jan 2002 10:37:21 -0800 (PST) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA22425; Sat, 12 Jan 2002 11:37:07 -0700 (MST) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g0CIb6J20818; Sat, 12 Jan 2002 11:37:06 -0700 (MST) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15424.33362.685365.782853@caddis.yogotech.com> Date: Sat, 12 Jan 2002 11:37:06 -0700 To: Ian Cc: Rolandas Naujikas , Subject: Re: tcp keepalive and dynamic ipfw rules In-Reply-To: References: <20020112123054.A20486@localhost> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > I have setup a dynamic firewall for my personal computer with such rules > > > > ipfw add check-state > > ipfw add deny tcp from any to any established This rule doesn't do a heck of a lot, unless you have by default an 'open' setup. > > ipfw add pass tcp from me to any setup keep-state > > > > from ipfw(8) manual on "FreeBSD 4.5-RC". > > > > I found problem with ftp, when download pass longer 5 minutes, then after > > download ftp client stall. I dont see more dynamic rule, allowing tcp > > control connection. net.inet.tcp.always_keepalive=1. > > > > Rolandas > > > > P.S. I'm sorry for my English. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > I remember having this same problem when I used dynamic rules. The design > of dynamic rules seems to be such that they're mainly useful for things like > web servers that have many short-lived connections. It's less useful for TCP connections, and much more useful for UDP connections which are almost always short-lived. > Eventually I ended up > hacking ipfw to make dynamic rules work differently, and at one time I > planned to get those changes submitted back for everyone, but recently I > changed my mind. I just keep thinking "There has to be a better way to do > all of this; hacking an already iffy hack isn't the way." So I quit using > dynamic rules completely. I still use them for UDP services (DNS, etc..), but for TCP services, I rely on the old standby rules. # Allow me to make UDP connections ipfw add check-state ipfw add pass udp from me to any keep-state out # Allow me to make TCP connections ipfw add pass tcp from me to any setup ipfw add pass tcp from any to any established # Block everything else ipfw add deny log all from any to any These 5 simple rules should do the trick for most things (except for active-mode ftp). Yes, there are still potential issues with using the 'established' keyword, but if you want to avoid them, use more complex firewall rules and/or ipf. (Note, I don't believe the above rules are very secure, since they allow out all sorts of nasty things you probably don't want to allow out, nor do they allow in services you may want to allow, such as SMTP, but it should be a good starting point for a client setup). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message