From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 17:44:05 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BD0616A4CE for ; Fri, 17 Sep 2004 17:44:05 +0000 (GMT) Received: from smtp1.tsgincorporated.com (smtp1.tsgincorporated.com [67.66.242.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2843543D53 for ; Fri, 17 Sep 2004 17:44:03 +0000 (GMT) (envelope-from micheal@tsgincorporated.com) Received: from support.tsgincorporated.com (support.tsgincorporated.com [67.66.242.9])i8HHhxUj002545; Fri, 17 Sep 2004 12:43:59 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Received: from micheal (micheal.tsgincorporated.com [67.66.242.77]) i8HHhxOm019982; Fri, 17 Sep 2004 12:43:59 -0500 (CDT) (envelope-from micheal@tsgincorporated.com) Message-ID: <07af01c49cdd$e9910f80$4df24243@tsgincorporated.com> From: "Micheal Patterson" To: "Norm Vilmer" References: <414A6E9C.4060708@etherealconsulting.com><020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <06af01c49cc5$b0b615b0$4df24243@tsgincorporated.com> <414B02FD.6020703@etherealconsulting.com> <06fd01c49ccd$36e91450$4df24243@tsgincorporated.com> <414B150C.6090608@etherealconsulting.com> Date: Fri, 17 Sep 2004 12:39:50 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: by amavisd-new cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 17:44:05 -0000 ----- Original Message ----- From: "Norm Vilmer" To: "Micheal Patterson" Cc: Sent: Friday, September 17, 2004 11:47 AM Subject: Re: Too many dynamic rules, sorry > Micheal Patterson wrote: > > > > ----- Original Message ----- > > From: "Norm Vilmer" > > To: "Micheal Patterson" > > Cc: > > Sent: Friday, September 17, 2004 10:30 AM > > Subject: Re: Too many dynamic rules, sorry > > > > > > > > > >>I do have a check-state rule > >> > >>add 00200 check-state > >> > >>Norm Vilmer > > > > > > Ok. Then right above the check-state entry, place an > > > > allow ip from 123.123.123/24 to 123.123.123./24 > > > > Replace the ip's with the appropriate network/metric for your lan and that > > will allow lan traffic to go to itself unhindered by any stateful checks. > > > > -- > > > > Micheal Patterson > > TSG Network Administration > > 405-917-0600 > > > > > > > would this be the same? > > add 00200 allow all from any to any via ${iif} keep-state > add 00210 check-state > > The goal is to not use dynamic rules for your local lan, only the traffic from the lan to the net. Otherwise, you're wasting dynamic state table space for rules that aren't necessary. A very basic stateful ruleset: ipfw add 100 allow ip from 1.1.1.0/24 to 1.1.1.0/24 ipfw add 500 check-state ipfw add 600 allow ip from 1.1.1.0/24 to any keep-state ipfw add 65000 deny log ip from any to any That type of ruleset, will allow local traffic without using state table, and the entry at 1000 will catch everything else outbound and use state tables for it. If it's not originating from your network, and there's no state entry, it's blocked by 65000. -- Micheal Patterson TSG Network Administration 405-917-0600