From owner-freebsd-questions Thu Mar 20 16:29:50 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3522437B401 for ; Thu, 20 Mar 2003 16:29:49 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B8C43FBF for ; Thu, 20 Mar 2003 16:29:47 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a182.otenet.gr [212.205.215.182]) by mailsrv.otenet.gr (8.12.8/8.12.8) with ESMTP id h2L0Tg5u008038; Fri, 21 Mar 2003 02:29:44 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.8/8.12.8) with ESMTP id h2L0Tgkg001911; Fri, 21 Mar 2003 02:29:42 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.8/8.12.8/Submit) id h2L0TeUV001910; Fri, 21 Mar 2003 02:29:40 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 21 Mar 2003 02:29:40 +0200 From: Giorgos Keramidas To: james_mapson@museum.rain.com Cc: Drew Tomlinson , freebsd-questions@FreeBSD.ORG Subject: Re: IPFW - "keep-state/check-state" And "setup/established" Confusion Message-ID: <20030321002940.GF1538@gothmog.gr> References: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> <20030320165232.GB6347@gothmog.gr> <20030320115636.A37330@ns.museum.rain.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030320115636.A37330@ns.museum.rain.com> X-RAVMilter-Version: 8.4.2(snapshot 20021217) (terpsi) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2003-03-20 11:56, James Long wrote: > On Thu, Mar 20, 2003 at 06:52:32PM +0200, Giorgos Keramidas wrote: > > > use "keep-state/check-state" for everything by adding my check-state > > > rule near the top and then adding the following rule for incoming > > > services: > > > > > > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > > > > As a matter of fact, you should. The 'established' keyword is not as > > nice as a real, stateful firewall (which {keep,check}-state gives you). > > A learning question: First, I am working from the understanding that > the keep-state flag results in _one_ rule from any to $inwr, but creates > the complementary "$inwr to any" rules for the return traffic on an dynam- > ic basis, and that there is one dynamic rule for each connection that is > active at the time. I welcome enlightenment if I am mistaken in this. > > Given that one wants to run those four ports wide open to the world, won't > "keep-state" result in the firewall creating N dynamic rules for the return > traffic, where N is the number of connections open to those four ports? > When N is large (i.e., when there are many connections to those ports), > would it not result in fewer firewall rule comparisons to just run them > wide open and be done with it? > > If one accepts traffic from anyone coming in to those ports, what is to > be gained by restricting the IPs to which our server can send return > traffic from those ports? > > ipfw add allow ip from any to $inwr 21,22,25,80 > ipfw add allow ip from $inwr 21,22,25,80 to any > > Wouldn't this result in a maximum of two rules, instead of N + 1? True. This is probably a good way of avoiding the overhead associated with dynamic rules. I was only comparing 'established' to '*-state' ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message