Date: Tue, 25 Jul 2000 12:13:10 -0700 (PDT) From: Mike Hoskins <mike@adept.org> To: Stephen Montgomery-Smith <stephen@math.missouri.edu> Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall Message-ID: <Pine.BSF.4.21.0007251206530.27676-100000@snafu.adept.org> In-Reply-To: <397D0A56.E695E55C@math.missouri.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote: > I read the ipfw man page, and it is so terse on this subject > that I cannot understand it. Like many man pages, it gives > a lot of details, but does not provide the overall picture. As I said, not a complete reference... But I think if you read it enough times (not unlike many mathematics texts ;), it does sink in. > If anyone could tell me the overall picture of what dynamic rules > are about - give me a start and a context so that the man page > makes sense, I would really appreciate it. The ruleset I pasted, at least, is pretty straightforward... For incoming connections, allow/deny based upon the specific static rules I specified... For outgoing (from inside LAN) connections, essentially 'listen' for attempts, dynamically generate specific rules needed by that session (check state), then monitor the connection and keep the dynamic rule around as long as a conversation is taking place (keep state). So, essentially, your firewall is 'learning' rules for internal hosts... Allowing exactly what they need on the fly. You can still limit hosts with specific denys if your LAN is not fully trusted. I came into this mess with mostly only PIX/FW1 experience... I'll admit some initial frustration when glancing over the man page, but after I decided to read it, word for word, and started toying with the examples, I've found ipfw's syntax/behavior to be (often) more appealing than the other products I use on a daily basis. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007251206530.27676-100000>