Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Jan 2004 05:31:36 -0500
From:      "Matthew McGehrin" <mcgehrin@reverse.net>
To:        <freebsd-ipfw@freebsd.org>
Subject:    Static rules (Stateless) verses Dynamic (Statefull) Rulesets in IPFW
Message-ID:  <001201c3e0d2$e9877af0$af00a8c0@orange>

next in thread | raw e-mail | index | archive | help
It seems to be a recent trend in which Firewall Authors are using =
dynamic rulesets for their firewall code. It's been my experience, that =
dynamic rules work in low to medium load situations, (less than 1024 =
Active TCPIP connections), but anything beyond this limit, Static Rules =
are the way to go.=20

For example, I run a irc shell company. I maintain multiple boxes that =
have 1500+ Active TCPIP connections. My upstream provides basic DoS =
filtering, but it's my responsibility to protect my machines. I use the =
following ruleset:

00001 allow ip from any to any via lo0
# pipes
00010 pipe 10 tcp from 1.2.3.0/24 6660-9999,4400 to any out
00012 pipe 10 tcp from 1.2.3.0/24 to any 6660-9999,4400 out
00014 pipe 10 tcp from 1.2.3.0/24 to any 53,80,113,1080 out
00020 pipe 10 ip from 1.2.3.3 to any out
00022 pipe 10 udp from 1.2.3.0/24 to any out
00024 pipe 10 icmp from 1.2.3.0/24 to any out
00050 pipe 50 ip from 1.2.3.0/24 to any out
ipfw pipe 10 config bw  115k queue 8k mask dst-ip 0xff000000
ipfw pipe 50 config bw  256k queue 8k mask dst-ip 0xff000000

# split protocol
00100 skipto 2000 tcp from any to any
00200 skipto 4000 udp from any to any
00300 skipto 6000 icmp from any to any
# tcp
02000 allow tcp from any to any established
02100 allow tcp from any to any 1024-65535,25,80,81,443 setup
02200 allow tcp from any to any 20-21,22,43,53,110,113 setup
02300 allow tcp from any to any 23,873 out setup
02400 deny tcp from any to any
# udp
04000 allow udp from any to any 50-53,123
04100 allow udp from any to any 1024-65535
04200 deny udp from any to any
# icmp
06000 allow icmp from any to any in icmptype 0,3,4,11,12
06100 allow icmp from any to any out icmptype 3,4,8
06200 deny icmp from any to any
# default
65535 deny ip from any to any

In this situation, using a 'dynamic ruleset' brings the box to a crawl.  =
However, a static ruleset works with very little cpu overhead.


Thanks

-- Matthew



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201c3e0d2$e9877af0$af00a8c0>