Date: Sat, 12 Jan 2002 11:37:06 -0700 From: Nate Williams <nate@yogotech.com> To: Ian <freebsd@damnhippie.dyndns.org> Cc: Rolandas Naujikas <rolnauj@delfi.lt>, <stable@FreeBSD.ORG> Subject: Re: tcp keepalive and dynamic ipfw rules Message-ID: <15424.33362.685365.782853@caddis.yogotech.com> In-Reply-To: <B865C95B.911F%freebsd@damnhippie.dyndns.org> References: <20020112123054.A20486@localhost> <B865C95B.911F%freebsd@damnhippie.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I have setup a dynamic firewall for my personal computer with such rules > > > > ipfw add check-state > > ipfw add deny tcp from any to any established This rule doesn't do a heck of a lot, unless you have by default an 'open' setup. > > ipfw add pass tcp from me to any setup keep-state > > > > from ipfw(8) manual on "FreeBSD 4.5-RC". > > > > I found problem with ftp, when download pass longer 5 minutes, then after > > download ftp client stall. I dont see more dynamic rule, allowing tcp > > control connection. net.inet.tcp.always_keepalive=1. > > > > Rolandas > > > > P.S. I'm sorry for my English. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > I remember having this same problem when I used dynamic rules. The design > of dynamic rules seems to be such that they're mainly useful for things like > web servers that have many short-lived connections. It's less useful for TCP connections, and much more useful for UDP connections which are almost always short-lived. > Eventually I ended up > hacking ipfw to make dynamic rules work differently, and at one time I > planned to get those changes submitted back for everyone, but recently I > changed my mind. I just keep thinking "There has to be a better way to do > all of this; hacking an already iffy hack isn't the way." So I quit using > dynamic rules completely. I still use them for UDP services (DNS, etc..), but for TCP services, I rely on the old standby rules. # Allow me to make UDP connections ipfw add check-state ipfw add pass udp from me to any keep-state out # Allow me to make TCP connections ipfw add pass tcp from me to any setup ipfw add pass tcp from any to any established # Block everything else ipfw add deny log all from any to any These 5 simple rules should do the trick for most things (except for active-mode ftp). Yes, there are still potential issues with using the 'established' keyword, but if you want to avoid them, use more complex firewall rules and/or ipf. (Note, I don't believe the above rules are very secure, since they allow out all sorts of nasty things you probably don't want to allow out, nor do they allow in services you may want to allow, such as SMTP, but it should be a good starting point for a client setup). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15424.33362.685365.782853>