Skip site navigation (1)Skip section navigation (2)
Date:      08 Feb 2001 10:45:48 -0500
From:      Lowell Gilbert <lowell@world.std.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: ipfw check-state
Message-ID:  <4466il89g3.fsf@lowellg.ne.mediaone.net>
In-Reply-To: ppandoson@eCoNeed.com's message of "5 Feb 2001 10:01:33 %2B0100"
References:  <3A7E6BCE.E93BDB1C@eCoNeed.com>

next in thread | previous in thread | raw e-mail | index | archive | help
ppandoson@eCoNeed.com (Pater Pandoson) writes:

> I have been reading the man page but I am still
> unsure how to use the dynamic firewall rules.
> Is there a good tutorial somewhere?

The "good tutorial" question is tricky, because it really depends on
where you start from:  specifically, your knowledge of how IP (and
especially, but not exclusively, TCP) works.

There are a couple of good books on the theory. Addison-Wesley and
O'Reilly each publish a good one, although those books come after it a
little differently (i.e., one might well want both).

I understand IP pretty well, and I found everything I needed to know
from the man page itself.  I don't, however, make particularly heavy
use of stateful rules (because in several cases they don't play well
with NAT or other forms of packet rewriting).

The basic idea behind stateful rules is pretty simple:  you let
detection of one packet cause the opening of a narrowly defined hole
specifically designed to let a response come back.  There are several
reasons you might want to do this; none of them are useful to every
firewall. 

One reason is efficiency.  A check against a list of dynamic rules 
is generally faster than a sequential check against a list of static
rules.  Due to differences in storage techniques (data structures),
this is often true even when the number of dynamic rules is much
larger than the number of static ones.  However, this only makes a
noticeable impact on the performance of the system when both the
number of packets being checked *and* the number of rules are quite
large.  

The other reason is to be sure that a packet coming in is a response
to a packet that you had sent out previously.  For pure datagram
protocols, there's no other way to guarantee this; for example, with
static rules, you have to let in DNS queries as well as responses.
For TCP, the headers themselves let you know whether a packet is the
first in a connection, and even if a packet "lies" about that, that
packet won't be accepted by an IP stack -- however, people often
prefer to not let such packets by their firewalls at all.

Does this information help?  I'm considering submitting some of it as
an expansion on the handbook descriptions...

Be well.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4466il89g3.fsf>