Date: Tue, 24 May 2005 14:28:58 -0600 From: Stephane Raimbault <stephane@enertiasoft.com> To: Charles Swiger <cswiger@mac.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <33C31ADD-A2A0-47FC-968D-267278F63F89@enertiasoft.com> In-Reply-To: <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> <F4C0013C-245C-41AE-9E4C-226829631D84@enertiasoft.com> <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24-May-05, at 2:12 PM, Charles Swiger wrote:
> On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote:
>
>>> I hate to ask something silly, but you do have a check-state rule
>>> somewhere, right?
>>>
>>>
>> it's not silly..., what's silly is now I'm asking how would I
>> check :) or what would the rule look like.
>>
>
> You've have an "ipfw add check-state" rule somewhere.
>
>
>>> The rules you've added permit traffic in both directions, which
>>> shouldn't be needed unless the stateful matching wasn't working
>>> right. Anyway, you don't need to use stateful rules if you
>>> permit traffic in both ways, but the possible tradeoff is making
>>> the systems more accessible to scanning and some DoS attacks
>>> using forged traffic.
>>>
>>> Not using keep-state with UDP is quite reasonable, but you might
>>> consider adding a "keep-state" with your TCP rules for port 53.
>>> You should also be aware that your nameservers will want to make
>>> outbound connections using TCP themselves sometimes....
>>>
>>
>> you've actually kinda answered the other question I neglected to
>> ask... which is, would I really need the keep-state, since it
>> seemed to work without it being there when I did my testing
>> earlier today. Regarding adding keep-state to my tcp rule...
>> would this not do the same thing... ? am I confused... or is it
>> just insecure of doing it this way:
>>
>> # Allow TCP through if setup succeeded
>> ${fwcmd} add pass tcp from any to any established
>>
>
> Stateful matching of connections can be more secure than passing
> any traffic which is established, but that depends on the other
> rules which are being used. However, the IPFW manpage has a good
> description of this:
>
> The typical use of dynamic rules is to keep a closed firewall
> configura-
> tion, but let the first TCP SYN packet from the inside network
> install a
> dynamic rule for the flow so that packets belonging to that
> session will
> be allowed through the firewall:
>
> ipfw add check-state
> ipfw add allow tcp from my-subnet to any setup keep-state
> ipfw add deny tcp from any to any
>
That's very interesting and makes sense. I do not have the check-
state in there, and just specify each port that is open, I'm guessing
I did not run into this problem with anything else, as dns is a very
stateful type of protocol? Would this be hand with an FTP server,
right now I just tell the ftp server to use specific passive ports,
and open up the firewall to allow connections on there. Would I be
able to elmininate that with simply setting up check-state and also
having keep-state at the end of the tcp allow rules ?
Thanks,
Stephane.
> --
> -Chuck
>
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-
> unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?33C31ADD-A2A0-47FC-968D-267278F63F89>