Date: Fri, 17 Sep 2004 13:38:25 -0700 (PDT) From: Dave McCammon <davemac11@yahoo.com> To: Norm Vilmer <norm@etherealconsulting.com> Cc: questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <20040917203825.45384.qmail@web41408.mail.yahoo.com> In-Reply-To: <414B1CC9.7040600@etherealconsulting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- Norm Vilmer <norm@etherealconsulting.com> wrote:
> Dave McCammon wrote:
>
> > --- Bill Moran <wmoran@potentialtech.com> wrote:
> >
> >
> >>Rob <spamrefuse@yahoo.com> wrote:
> >>
> >>
> >>>Norm Vilmer wrote:
> >>>
> >>>>Here are the rules that I have that keep-state
> >>
> >>on the outside interface:
> >>
> >>>>#For DNS
> >>>>add 01300 pass udp from ${oip} to any 53
> >>
> >>keep-state
> >>
> >>>># For NTP
> >>>>add 01400 pass udp from ${oip} to any 123
> >>
> >>keep-state
> >>
> >>>># For VPN
> >>>>add 01500 pass gre from any to any keep-state
> >>>># For ICMP
> >>>>add 01600 pass icmp from any to any via ${oip}
> >>
> >>keep-state
> >>
> >>>>Do you think these are causing the problem?
> >>>
> >>>Aren't udp and icmp state-less protocols?
> >>>In that case, keep-state would not make much
> >>
> >>sense.
> >>
> >>>I use 'keep-state' only for tcp rules.
> >>>
> >>>I may be wrong, moreover, I haven't followed the
> >>
> >>full thread :).
> >>
> >>You'll generally need to keep state on UDP when
> you
> >>play online games.
> >>
> >>If you're smart, you don't allow arbitrary UDP
> >>packets from the outside
> >>world into your network, but if you're playing
> >>Unreal or something, then
> >>all communication is via UDP, and you won't be
> able
> >>to play.
> >>
> >>The best solution is to allow all UDP traffic to
> >>_leave_, while keeping
> >>state. the keep-state remembers the ip/port
> >>information on the outgoing
> >>packets, and thus allows return packets to get
> back
> >>in (by matching the
> >>ip/port pair).
> >>
> >>Now, when you know the port, it doesn't really
> make
> >>sense to use
> >>keep-state, and all you're really doing is
> spamming
> >>your state tables.
> >>
> >>If you look in the /etc/rc.firewall that ships
> with
> >>FreeBSD, you'll see
> >>these rules (designed to handle running a DNS
> >>server):
> >> # Allow access to our DNS
> >> ${fwcmd} add pass tcp from any to ${oip}
> 53
> >>setup
> >> ${fwcmd} add pass udp from any to ${oip}
> 53
> >> ${fwcmd} add pass udp from ${oip} 53 to
> any
> >>
> >>Granted, it's three rules instead of 1, but it
> does
> >>not use your state
> >>tables unnecessarily (sp?)
> >>
> >>HTH.
> >>
> >>
> >
> >
> > Sorry, wasn't done with last message.
> >
> > Look at your dynamic table, if you are getting
> DoS'd,
> > try using the "limit" option instead of keep-state
> or
> > tweak the net.inet.ip.fw.dyn_(*)_lifetime to a
> level
> > that suits your needs.
> >
> > Or, rewrite your rules removing the keep-state
> options.
> >
> >
> >
> > _______________________________
> > Do you Yahoo!?
> > Declare Yourself - Register online to vote today!
> > http://vote.yahoo.com
> > _______________________________________________
> > freebsd-questions@freebsd.org mailing list
> >
>
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> > To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe@freebsd.org"
> >
> I think I follow you. I am going to have to play
> around with the
> DNS rules supplied with rc.firewall to see if I can
> get them to
> work. Just putting them in as given, my machines
> inside the firewall
> can not do nslookup's.
>
> I am a little afraid to play with the
> net.inet.ip.fw.dyn_(*)_lifetime
> level, I have seen a number of posting where people
> increase the value,
> mine is set to 300 (default). I did remove
> keep-state from all my rules
> excpet the gre rule. I also set the
> net.inet.ip.fw.dyn_max to 8192 which
> helps.
>
> Maybe I need a good book on the subject. Any
> suggestions?
>
> Norm Vilmer
What you may you may want to do is lower the
net.inet.ip.fw.dyn_ack_lifetime.
This will help the dynamic rules to be cleared faster
on connections that don't get completed with the FIN
or RST.
Besides, I believe the UDP dynamic rules are
controlled by net.inet.ip.fw.dyn_udp_lifetime.
On my bridging-firewall, it is set to 10 but in the
man page for ipfw it shows default as 5 (unless the 5
is just an example not the default).
Here is some links that I have bookmarked
http://www.kgb.ro/Ipfw-HOWTO
http://freebsd.amazingdev.com/blog/archives/000112.html
http://www.toad-one.org/howto/FreeBSD/Ipfw-Advanced-Supplement-HOWTO.txt
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040917203825.45384.qmail>