From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 16:16:18 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 208AC16A4CE for ; Fri, 17 Sep 2004 16:16:18 +0000 (GMT) Received: from web41403.mail.yahoo.com (web41403.mail.yahoo.com [66.218.93.69]) by mx1.FreeBSD.org (Postfix) with SMTP id 04D1D43D1D for ; Fri, 17 Sep 2004 16:16:18 +0000 (GMT) (envelope-from davemac11@yahoo.com) Message-ID: <20040917161617.96351.qmail@web41403.mail.yahoo.com> Received: from [168.91.4.66] by web41403.mail.yahoo.com via HTTP; Fri, 17 Sep 2004 09:16:17 PDT Date: Fri, 17 Sep 2004 09:16:17 -0700 (PDT) From: Dave McCammon To: questions@freebsd.org In-Reply-To: <20040917114427.24aac112.wmoran@potentialtech.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 16:16:18 -0000 --- Bill Moran wrote: > Rob wrote: > > > Norm Vilmer wrote: > > > Here are the rules that I have that keep-state > on the outside interface: > > > > > > #For DNS > > > add 01300 pass udp from ${oip} to any 53 > keep-state > > > # For NTP > > > add 01400 pass udp from ${oip} to any 123 > keep-state > > > # For VPN > > > add 01500 pass gre from any to any keep-state > > > # For ICMP > > > add 01600 pass icmp from any to any via ${oip} > keep-state > > > > > > Do you think these are causing the problem? > > > > Aren't udp and icmp state-less protocols? > > In that case, keep-state would not make much > sense. > > > > I use 'keep-state' only for tcp rules. > > > > I may be wrong, moreover, I haven't followed the > full thread :). > > You'll generally need to keep state on UDP when you > play online games. > > If you're smart, you don't allow arbitrary UDP > packets from the outside > world into your network, but if you're playing > Unreal or something, then > all communication is via UDP, and you won't be able > to play. > > The best solution is to allow all UDP traffic to > _leave_, while keeping > state. the keep-state remembers the ip/port > information on the outgoing > packets, and thus allows return packets to get back > in (by matching the > ip/port pair). > > Now, when you know the port, it doesn't really make > sense to use > keep-state, and all you're really doing is spamming > your state tables. > > If you look in the /etc/rc.firewall that ships with > FreeBSD, you'll see > these rules (designed to handle running a DNS > server): > # Allow access to our DNS > ${fwcmd} add pass tcp from any to ${oip} 53 > setup > ${fwcmd} add pass udp from any to ${oip} 53 > ${fwcmd} add pass udp from ${oip} 53 to any > > Granted, it's three rules instead of 1, but it does > not use your state > tables unnecessarily (sp?) > > HTH. > > -- > Bill Moran > Potential Technologies > http://www.potentialtech.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > __________________________________ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail