From owner-freebsd-ipfw Tue Oct 24 17:55:12 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id C403337B479 for ; Tue, 24 Oct 2000 17:55:05 -0700 (PDT) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.1/8.11.1) with ESMTP id e9P0swF81636 for ; Tue, 24 Oct 2000 19:54:59 -0500 (CDT) (envelope-from kirk@pooh.honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 13oEqI-0004CX-00 for ; Tue, 24 Oct 2000 19:54:58 -0500 To: freebsd-ipfw@freebsd.org Subject: Stateful? Non-stateful? I'm lost. From: Kirk Strauser Reply-To: kirk@strauser.com Date: 24 Oct 2000 19:54:58 -0500 Message-ID: <87u2a1zqn1.fsf@pooh.honeypot> Lines: 58 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am using ipfw on a FreeBSD 4.1.1-STABLE box. I have written my firewall config in m4, since there are quite a few rules, and since I wanted to minimize the risk of typos. I initially configured my firewall based on the instructions in the handbook. I have m4 macros in the form: define(`tcp_outgoing', `add $1 allow tcp from $2 to $3 $4 out xmit $5 add $1 allow tcp from $3 $4 to $2 in recv $5 established') define(`tcp_incoming', `add $1 allow tcp from $3 to $2 $4 in recv $5 add $1 allow tcp from $2 $4 to $3 out xmit $5 established') define(`udp_outgoing', `add $1 allow udp from $2 to $3 $4 out xmit $5 add $1 allow udp from $3 $4 to $2 in recv $5') define(`udp_incoming', `add $1 allow udp from $3 to $2 $4 in recv $5 add $1 allow udp from $2 $4 to $3 out xmit $5') so that later entries in the form: tcp_outgoing(30400, MAIN_LAN, any, ssh, WAN) tcp_incoming(40200, PROXY, any, smtp, WAN) become 30400 allow tcp from 10.0.1.0/24 to any 22 out xmit ed0 30400 allow tcp from any 22 to 10.0.1.0/24 in recv ed0 established 40200 allow tcp from any to 10.0.0.2 25 in recv ed0 40200 allow tcp from 10.0.0.2 25 to any out xmit ed0 established This has worked perfectly for roughly the last year, and continues to keep me safe from script kiddies. Recently I noticed the keep-state and check-state options to ipfw. I've asked around, and made an honest effort to RTFM (which would first require *finding* TFM!), but I just can't figure out exactly what they're supposed to do. My questions are: 1. What do they do? 2. How could I use them to improve my ruleset? 3. Are there any caveats / efficiency tradeoffs from using them? 4. Would they increase security over what I'm already doing? I'm not a newbie, but I just haven't been able to find the information I need. My only other request is that if you feel that you must answer with "RTFM, darnit!", then please at least tell me where to look for it. I've scoured freebsd.org to the limits of my searching ability and can't find any answers. Thanks, -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message