From owner-freebsd-security Tue Jul 25 12:13:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (adsl-63-201-63-44.dsl.snfc21.pacbell.net [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 1C24C37B87E for ; Tue, 25 Jul 2000 12:13:33 -0700 (PDT) (envelope-from mike@adept.org) Received: by snafu.adept.org (Postfix, from userid 1000) id 243479EE01; Tue, 25 Jul 2000 12:13:10 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 1BC879B001; Tue, 25 Jul 2000 12:13:10 -0700 (PDT) Date: Tue, 25 Jul 2000 12:13:10 -0700 (PDT) From: Mike Hoskins To: Stephen Montgomery-Smith Cc: freebsd-security@freebsd.org Subject: Re: Problems with natd and simple firewall In-Reply-To: <397D0A56.E695E55C@math.missouri.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 24 Jul 2000, Stephen Montgomery-Smith wrote: > I read the ipfw man page, and it is so terse on this subject > that I cannot understand it. Like many man pages, it gives > a lot of details, but does not provide the overall picture. As I said, not a complete reference... But I think if you read it enough times (not unlike many mathematics texts ;), it does sink in. > If anyone could tell me the overall picture of what dynamic rules > are about - give me a start and a context so that the man page > makes sense, I would really appreciate it. The ruleset I pasted, at least, is pretty straightforward... For incoming connections, allow/deny based upon the specific static rules I specified... For outgoing (from inside LAN) connections, essentially 'listen' for attempts, dynamically generate specific rules needed by that session (check state), then monitor the connection and keep the dynamic rule around as long as a conversation is taking place (keep state). So, essentially, your firewall is 'learning' rules for internal hosts... Allowing exactly what they need on the fly. You can still limit hosts with specific denys if your LAN is not fully trusted. I came into this mess with mostly only PIX/FW1 experience... I'll admit some initial frustration when glancing over the man page, but after I decided to read it, word for word, and started toying with the examples, I've found ipfw's syntax/behavior to be (often) more appealing than the other products I use on a daily basis. -mrh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message