From owner-freebsd-questions Thu Jul 30 16:31:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21448 for freebsd-questions-outgoing; Thu, 30 Jul 1998 16:31:59 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA21438 for ; Thu, 30 Jul 1998 16:31:58 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id TAA19354 for ; Thu, 30 Jul 1998 19:31:55 -0400 (EDT) Date: Thu, 30 Jul 1998 19:31:54 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: questions@FreeBSD.ORG Subject: IPFilter and "stateful inspection"(TM) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I saw a post on the Cisco list regarding routers vs. PCs, and someone had mentioned doing "stateful inspection" (a'la Firewall-1) under FreeBSD. He pointed to IPFilter (http://coombs.anu.edu.au/~avalon/ip-filter.html). Looking at this snippet is it saying what I think it says? Which is "throw away FW-1 for your cheap clients and install IPFilter and FBSD on a PC"?? From what I know of FW-1, it keeps track ("state") of outgoing connections, ie: user goes to www.news.com, firewall makes a note of it, opens a hole in the packet filter to let the return packets from www.news.com in and then closes the hole. Roughly... So does that sound like what this describes? If so, that rocks so hard I might wet myself. Opinions? Questions? IPFW vs. IPFilter rants? IPFilter will be in 3.0 if memory serves, correct? [snippet] 4. keep state Q. What does "keep state" actually do ? Is it useful ? A. First, yes, it is useful. What it does is allows you to only allow TCP packets through your firewall which are recognised as being part of an established connection rather than just arbitary TCP packets which can be used to perform "stealth scanning". In terms of rules, the following: pass in proto tcp all block out proto tcp all block in quick proto tcp all flags S/SA pass in quick from any to any port = smtp flags S/SA pass out proto tcp from any port = smtp to any can be replaced by block in proto tcp all block out proto tcp all pass in quick proto tcp from any to any port = smtp flags S/SA keep state "keep state" automatically matches packets going in the reverse direction (usually out) or on other interfaces without needing explicit rules. For UDP, it will automatically allow packets in which are the "reverse" of packets that have already been allowed through, without needing to allow too many packets through. For example, the following could be used for DNS clients: block out proto udp all block in proto udp all pass out proto udp from any port > 1024 to any port = 53 pass in proto udp from any port = 53 to any port > 1024 which allows through a LOT of unwanted packets. This can be effectively replaced with the following: block out proto udp all block in proto udp all pass in proto udp from any to any port = 53 keep state [/snippet] Charles Charles Sprickman spork@super-g.com ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message