From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 15:44:29 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E16916A4CE for ; Fri, 17 Sep 2004 15:44:29 +0000 (GMT) Received: from internet.potentialtech.com (h-66-167-251-6.phlapafg.covad.net [66.167.251.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6EE8A43D41 for ; Fri, 17 Sep 2004 15:44:29 +0000 (GMT) (envelope-from wmoran@potentialtech.com) Received: from working.potentialtech.com (pa-plum-cmts1e-68-68-113-64.pittpa.adelphia.net [68.68.113.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by internet.potentialtech.com (Postfix) with ESMTP id B26B669A8E; Fri, 17 Sep 2004 11:44:28 -0400 (EDT) Date: Fri, 17 Sep 2004 11:44:27 -0400 From: Bill Moran To: Rob Message-Id: <20040917114427.24aac112.wmoran@potentialtech.com> In-Reply-To: <414AFA74.4070001@yahoo.com> References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <414AFA74.4070001@yahoo.com> Organization: Potential Technologies X-Mailer: Sylpheed version 0.9.12 (GTK+ 1.2.10; i386-portbld-freebsd4.9) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 15:44:29 -0000 Rob wrote: > Norm Vilmer wrote: > > Here are the rules that I have that keep-state on the outside interface: > > > > #For DNS > > add 01300 pass udp from ${oip} to any 53 keep-state > > # For NTP > > add 01400 pass udp from ${oip} to any 123 keep-state > > # For VPN > > add 01500 pass gre from any to any keep-state > > # For ICMP > > add 01600 pass icmp from any to any via ${oip} keep-state > > > > Do you think these are causing the problem? > > Aren't udp and icmp state-less protocols? > In that case, keep-state would not make much sense. > > I use 'keep-state' only for tcp rules. > > I may be wrong, moreover, I haven't followed the full thread :). You'll generally need to keep state on UDP when you play online games. If you're smart, you don't allow arbitrary UDP packets from the outside world into your network, but if you're playing Unreal or something, then all communication is via UDP, and you won't be able to play. The best solution is to allow all UDP traffic to _leave_, while keeping state. the keep-state remembers the ip/port information on the outgoing packets, and thus allows return packets to get back in (by matching the ip/port pair). Now, when you know the port, it doesn't really make sense to use keep-state, and all you're really doing is spamming your state tables. If you look in the /etc/rc.firewall that ships with FreeBSD, you'll see these rules (designed to handle running a DNS server): # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any Granted, it's three rules instead of 1, but it does not use your state tables unnecessarily (sp?) HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com