From owner-freebsd-security Thu Nov 30 15:36: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from virtual.sysadmin-inc.com (lists.sysadmin-inc.com [209.16.228.140]) by hub.freebsd.org (Postfix) with ESMTP id B18E937B698 for ; Thu, 30 Nov 2000 15:36:01 -0800 (PST) Received: from wkst ([209.16.228.146]) by virtual.sysadmin-inc.com (8.9.1/8.9.1) with SMTP id SAA09122 for ; Thu, 30 Nov 2000 18:37:31 -0500 Reply-To: From: "Peter Brezny" To: Subject: ipfw dynamic firewall opening Large amounts of dynamic rules normal? Date: Thu, 30 Nov 2000 18:35:09 -0800 Message-ID: <007901c05b3f$537026a0$46010a0a@sysadmininc.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Everyone, On a 4.2-stable box I've got ipfw and nat running with 2 dynamic rules (see complete rule set below). $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif This box is in the testing phase, and with me as the only user behind the firewall with a couple browsers and a mail client running, sysctl net.inet.ip.fw shows ...dyn_count:178 (see below) When i ipfw show it appears that for each outbound request for a website between six and 10 rules are created, one for the private ip of the internal machine followed by several for the (I'm assuming) translated internal request heading out to the remote web server (see below). Is this behavior normal? And if so, how high is it recommended to set the sectl net.inet.ip.fw.dyn_max: variable (I'm using the default of 1000)? I've attached a copy of my firewall rules below as well. Any advice will be greatly appreciated. TIA Peter Brezny SysAdmin Services Inc. sysctl output net.inet.ip.fw.enable: 1 net.inet.ip.fw.one_pass: 1 net.inet.ip.fw.debug: 1 net.inet.ip.fw.verbose: 1 net.inet.ip.fw.verbose_limit: 100 net.inet.ip.fw.dyn_buckets: 256 net.inet.ip.fw.curr_dyn_buckets: 256 net.inet.ip.fw.dyn_count: 178 net.inet.ip.fw.dyn_max: 1000 net.inet.ip.fw.dyn_ack_lifetime: 300 net.inet.ip.fw.dyn_syn_lifetime: 20 net.inet.ip.fw.dyn_fin_lifetime: 20 net.inet.ip.fw.dyn_rst_lifetime: 5 net.inet.ip.fw.dyn_short_lifetime: 30 ipfw show output 01300 0 0 (T 0, # 34) ty 0 tcp, 10.10.1.70 1265 <-> 209.16.228.140 25 01200 0 0 (T 0, # 36) ty 0 tcp, 209.16.228.146 1256 <-> 208.201.239.14 80 01200 0 0 (T 0, # 37) ty 0 tcp, 209.16.228.146 1262 <-> 204.148.40.9 80 01200 0 0 (T 0, # 38) ty 0 tcp, 209.16.228.146 1261 <-> 204.148.40.9 80 01200 0 0 (T 0, # 40) ty 0 tcp, 209.16.228.146 1251 <-> 204.148.40.9 80 01200 0 0 (T 0, # 41) ty 0 tcp, 209.16.228.146 1253 <-> 208.201.239.14 80 01200 0 0 (T 0, # 43) ty 0 tcp, 209.16.228.146 1255 <-> 208.201.239.14 80 01200 0 0 (T 0, # 47) ty 0 tcp, 209.16.228.146 1252 <-> 204.148.40.9 80 01300 0 0 (T 0, # 49) ty 0 tcp, 10.10.1.70 1216 <-> 64.41.203.231 80 01200 1 477 (T 0, # 52) ty 0 udp, 209.16.228.146 1055 <-> 209.16.228.140 53 01200 1 154 (T 0, # 53) ty 0 udp, 209.16.228.146 1054 <-> 209.16.228.140 53 01200 1 149 (T 0, # 54) ty 0 udp, 209.16.228.146 1053 <-> 209.16.228.140 53 01200 1 132 (T 0, # 55) ty 0 udp, 209.16.228.146 1052 <-> 209.16.228.140 53 01200 0 0 (T 0, # 64) ty 0 tcp, 209.16.228.146 1163 <-> 204.148.40.9 80 01200 0 0 (T 0, # 65) ty 0 tcp, 209.16.228.146 1162 <-> 204.148.40.9 80 01200 0 0 (T 0, # 66) ty 0 tcp, 209.16.228.146 1161 <-> 204.148.40.9 80 01200 0 0 (T 0, # 67) ty 0 tcp, 209.16.228.146 1160 <-> 204.148.40.9 80 01200 0 0 (T 0, # 68) ty 0 tcp, 209.16.228.146 1167 <-> 204.148.40.9 80 01200 0 0 (T 0, # 69) ty 0 tcp, 209.16.228.146 1166 <-> 204.148.40.9 80 Current firewall ruleset. fwcmd="/sbin/ipfw" #leave as is if using ipfw oif="oifx" #set to outside interface name onwr="a.b.c.d/24" #set to outside network range oip="a.b.c.d" #set to outside ip address iif="ifx" #set to internal interface name inwr="x.y.z.x/24" #set to internal network range iip="x.y.z.x" #set to internal ip address ns1="e.f.g.h" #set to primary name server best if = oif #ntp="i.j.k.l" #set to ip of NTP server or leave as is # # End of required user input # # Rules # $fwcmd -f flush $fwcmd add allow all from any to any via lo0 $fwcmd add deny log all from any to 127.0.0.0/8 $fwcmd add deny log ip from $inwr to any in via $oif $fwcmd add deny log ip from not $inwr to any in via $iif $fwcmd add divert natd all from any to any via $oif $fwcmd add allow tcp from any to any established $fwcmd add allow tcp from any to $oip 22,25,80,443 setup # $fwcmd add allow icmp from any to any $fwcmd add allow icmp from any to any icmptypes 3,4,11,12 $fwcmd add allow udp from any 53 to $ns1 53 # $fwcmd add allow udp from $ntp 123 to $oip 123 $fwcmd add check-state $fwcmd add allow ip from $oip to any keep-state out via $oif $fwcmd add allow ip from $inwr to any keep-state via $iif $fwcmd add 65435 deny log ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message