Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Sep 2004 09:14:55 -0700 (PDT)
From:      Dave McCammon <davemac11@yahoo.com>
To:        Bill Moran <wmoran@potentialtech.com>
Cc:        questions@freebsd.org
Subject:   Re: Too many dynamic rules, sorry
Message-ID:  <20040917161455.2473.qmail@web41404.mail.yahoo.com>
In-Reply-To: <20040917114427.24aac112.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


> You'll generally need to keep state on UDP when you
> play online games.
> 
> If you're smart, you don't allow arbitrary UDP
> packets from the outside
> world into your network, but if you're playing
> Unreal or something, then
> all communication is via UDP, and you won't be able
> to play.
> 
> The best solution is to allow all UDP traffic to
> _leave_, while keeping
> state.  the keep-state remembers the ip/port
> information on the outgoing
> packets, and thus allows return packets to get back
> in (by matching the
> ip/port pair).
> 
> Now, when you know the port, it doesn't really make
> sense to use
> keep-state, and all you're really doing is spamming
> your state tables.
> 
> If you look in the /etc/rc.firewall that ships with
> FreeBSD, you'll see
> these rules (designed to handle running a DNS
> server):
>         # Allow access to our DNS
>         ${fwcmd} add pass tcp from any to ${oip} 53
> setup
>         ${fwcmd} add pass udp from any to ${oip} 53
>         ${fwcmd} add pass udp from ${oip} 53 to any
> 
> Granted, it's three rules instead of 1, but it does
> not use your state
> tables unnecessarily (sp?)
> 
Unless you have above the "#Allow access to our DNS"
rules-

${fwcmd} add pass udp from ${oip} to any keep-state
 
to allow all UDP to leave.
the first incoming packet to port 53 will match the
stateless rule 
${fwcmd} add pass udp from any to ${oip} 53

but the reply will create a dynamic rule
because first match is 

${fwcmd} add pass udp from ${oip} to any keep-state



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040917161455.2473.qmail>