Date: Thu, 22 Jan 2004 05:31:36 -0500 From: "Matthew McGehrin" <mcgehrin@reverse.net> To: <freebsd-ipfw@freebsd.org> Subject: Static rules (Stateless) verses Dynamic (Statefull) Rulesets in IPFW Message-ID: <001201c3e0d2$e9877af0$af00a8c0@orange>
next in thread | raw e-mail | index | archive | help
It seems to be a recent trend in which Firewall Authors are using = dynamic rulesets for their firewall code. It's been my experience, that = dynamic rules work in low to medium load situations, (less than 1024 = Active TCPIP connections), but anything beyond this limit, Static Rules = are the way to go.=20 For example, I run a irc shell company. I maintain multiple boxes that = have 1500+ Active TCPIP connections. My upstream provides basic DoS = filtering, but it's my responsibility to protect my machines. I use the = following ruleset: 00001 allow ip from any to any via lo0 # pipes 00010 pipe 10 tcp from 1.2.3.0/24 6660-9999,4400 to any out 00012 pipe 10 tcp from 1.2.3.0/24 to any 6660-9999,4400 out 00014 pipe 10 tcp from 1.2.3.0/24 to any 53,80,113,1080 out 00020 pipe 10 ip from 1.2.3.3 to any out 00022 pipe 10 udp from 1.2.3.0/24 to any out 00024 pipe 10 icmp from 1.2.3.0/24 to any out 00050 pipe 50 ip from 1.2.3.0/24 to any out ipfw pipe 10 config bw 115k queue 8k mask dst-ip 0xff000000 ipfw pipe 50 config bw 256k queue 8k mask dst-ip 0xff000000 # split protocol 00100 skipto 2000 tcp from any to any 00200 skipto 4000 udp from any to any 00300 skipto 6000 icmp from any to any # tcp 02000 allow tcp from any to any established 02100 allow tcp from any to any 1024-65535,25,80,81,443 setup 02200 allow tcp from any to any 20-21,22,43,53,110,113 setup 02300 allow tcp from any to any 23,873 out setup 02400 deny tcp from any to any # udp 04000 allow udp from any to any 50-53,123 04100 allow udp from any to any 1024-65535 04200 deny udp from any to any # icmp 06000 allow icmp from any to any in icmptype 0,3,4,11,12 06100 allow icmp from any to any out icmptype 3,4,8 06200 deny icmp from any to any # default 65535 deny ip from any to any In this situation, using a 'dynamic ruleset' brings the box to a crawl. = However, a static ruleset works with very little cpu overhead. Thanks -- Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001201c3e0d2$e9877af0$af00a8c0>