From owner-freebsd-ipfw Sun Dec 5 21:43:13 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from azazel.zer0.org (azazel.zer0.org [209.133.53.200]) by hub.freebsd.org (Postfix) with ESMTP id 310DC14BC2 for ; Sun, 5 Dec 1999 21:43:11 -0800 (PST) (envelope-from gsutter@azazel.zer0.org) Received: (from gsutter@localhost) by azazel.zer0.org (8.9.3/8.9.2) id VAA41599; Sun, 5 Dec 1999 21:41:52 -0800 (PST) (envelope-from gsutter) Date: Sun, 5 Dec 1999 21:41:52 -0800 From: Gregory Sutter To: Brian Gallucci Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW established Message-ID: <19991205214151.Y94590@azazel.zer0.org> References: <19991206011409.10981.qmail@web3005.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i In-Reply-To: <19991206011409.10981.qmail@web3005.mail.yahoo.com> Organization: Zer0 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 05, 1999 at 05:14:09PM -0800, Brian Gallucci wrote: > I just have one question about the established command > in rc.firewall. > > I have heard that if we add -> > $fwcmd add pass tcp from any to any established > $fwcmd add pass tcp from any to any 20 setup > $fwcmd add pass tcp from any to any 21 setup > $fwcmd add pass tcp from any to any 80 setup > vs > $fwcmd add pass tcp from any 20 to any > $fwcmd add pass tcp from any to any 20 > $fwcmd add pass tcp from any 21 to any > $fwcmd add pass tcp from any to any 21 > > Using the established command will give us better > performance on the firewall, is this correct ? Using the 'established' keyword in this way will stop processing of the firewall rules at that rule, thus saving however-many ns it takes to process the remaining rules in ipfw. Unless there are many rules, the savings is pretty negligible. Using the first set of rules instead of the second also closes a MAJOR hole. With the second set of rules in place, a person could make a connection from port 20 on their machine (which they control) to _any_ port on a machine behind the firewall. You _cannot_ use source port filtering as a means of access control, since the controller of the source host can use any port that they choose. Regards, Greg -- Gregory S. Sutter Failing sardine factory cans employees! mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message