From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 29 19:03:18 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4182A106564A for ; Wed, 29 Jun 2011 19:03:18 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 02FE58FC14 for ; Wed, 29 Jun 2011 19:03:17 +0000 (UTC) Received: by qwc9 with SMTP id 9so1059168qwc.13 for ; Wed, 29 Jun 2011 12:03:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.190.83 with SMTP id dh19mr874779qcb.175.1309374197013; Wed, 29 Jun 2011 12:03:17 -0700 (PDT) Received: by 10.229.226.131 with HTTP; Wed, 29 Jun 2011 12:03:16 -0700 (PDT) In-Reply-To: References: <1309345132620-4534755.post@n5.nabble.com> Date: Wed, 29 Jun 2011 12:03:16 -0700 Message-ID: From: Michael Sierchio To: franck Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-ipfw@freebsd.org Subject: Re: using tables = ipfw: ipfw_install_state: Too many dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2011 19:03:18 -0000 Sorry, revise my remarks about path mtu - pre-coffee. But you don't really want to drop those explicitly, at least not silently. Let TCP take care of it. Also, if you want to permit ICMP, you should probably restrict it to reasonable icmptypes (echo, echo reply, error need-frag, etc.) On Wed, Jun 29, 2011 at 11:34 AM, Michael Sierchio wro= te: > If table 2 contains a blacklist, why not deny traffic at the top? > > Why are you silently dropping fragmented TCP packets? =A0This will break > Path MTU discovery. > > Why do you have a check-state rule after rule 500? That's backwards. > You might consider putting check-state at the beginning. > > You don't want to explicitly permit tcp established - that's done by > the dynamic rules. =A0This one rule may be the culprit, but the rest of > your rules need improvement too. ;-) > > Are you running services on 80,443,747 on this host? =A0Or another > internal host? > > Rule 500 is broken, because TCP works differently from ICMP and UDP, > and you only want to use the keep-state directive on packets with the > SYN bit set. > > Even if you have only one interface, 'out' is ambiguous - best to > specify the interface. > > You don't need the 'me' rules, since 'any' includes me. > > Try something like the following (pretend your external interface is 'eth= 0'): > > allow ip from any to any via lo0 > > deny ip from any to 127.0.0.0/8 > deny ip from 127.0.0.0/8 to any > deny ip from table\(2\) to any > > check-state > > deny tcp from any to any established > > allow tcp from any to any dst-port 80,443,747 in recv eth0 setup keep-sta= te > > allow tcp from table\(1\) to any in recv eth0 setup keep-state > allow udp from table\(1\) to any in recv eth0 keep-state > allow icmp from table\(1\) to any in recv eth0 keep-state > > allow tcp from any to any out xmit eth0 setup keep-state > allow udp from any to any out xmit eth0 keep-state > allow icmp from any to any out xmit eth0 keep-state > > deny log logamount 1000 ip from any to any > > > > > > On Wed, Jun 29, 2011 at 3:58 AM, franck wrote: >> Hi, >> >> On a new FreeBSD 8.2 server, ipfw complains of too many dynamic rules as >> traffic increases. >> e.g. =A0"ipfw: ipfw_install_state: Too many dynamic rules") >> >> Is the following set of rules too complex? What would be the best/generi= c >> approach to setup ipfw for a standard web server? Any recommendations? >> >> 00100 allow ip from any to any via lo0 >> 00200 deny ip from any to 127.0.0.0/8 >> 00300 deny ip from 127.0.0.0/8 to any >> 00400 deny tcp from any to any frag >> 00500 allow ip from table(1) to any keep-state >> 00600 check-state >> 00700 allow tcp from any to any established >> 00800 allow ip from any to any out keep-state >> 00900 allow icmp from any to any >> 01000 allow udp from me to any dst-port 53 keep-state >> 01100 allow udp from me to any dst-port 123 keep-state >> 01200 allow tcp from any to any dst-port 747 setup keep-state >> 01300 deny ip from table(2) to any >> 20000 allow tcp from any to any dst-port 80,443 setup keep-state >> 20100 deny log logamount 1000 ip from any to any >> 65535 deny ip from any to any >> >> Note that: >> - table 1: holds whitelist of IPs >> - table 2: holds blacklist of IPs >> >> Regards, >> Franck >> >> -- >> View this message in context: http://freebsd.1045724.n5.nabble.com/using= -tables-ipfw-ipfw-install-state-Too-many-dynamic-rules-tp4534755p4534755.ht= ml >> Sent from the freebsd-ipfw mailing list archive at Nabble.com. >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >> >