From owner-freebsd-questions@FreeBSD.ORG Sat Oct 22 17:09:09 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B0336106564A for ; Sat, 22 Oct 2011 17:09:09 +0000 (UTC) (envelope-from conrads@cox.net) Received: from eastrmfepo203.cox.net (eastrmfepo203.cox.net [68.230.241.218]) by mx1.freebsd.org (Postfix) with ESMTP id 4ECB78FC08 for ; Sat, 22 Oct 2011 17:09:08 +0000 (UTC) Received: from eastrmimpo209.cox.net ([68.230.241.224]) by eastrmfepo203.cox.net (InterMail vM.8.01.04.00 201-2260-137-20101110) with ESMTP id <20111022170903.JTPG3769.eastrmfepo203.cox.net@eastrmimpo209.cox.net>; Sat, 22 Oct 2011 13:09:03 -0400 Received: from serene.no-ip.org ([98.164.86.236]) by eastrmimpo209.cox.net with bizsmtp id nt921h00B55wwzE02t933P; Sat, 22 Oct 2011 13:09:03 -0400 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020209.4EA2F8AF.0050,ss=1,re=0.000,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=1.1 cv=+K7zL980dhMm8KTqw6h5K0Lu41yfO7y+LPnYGiWxd/o= c=1 sm=1 a=G8Uczd0VNMoA:10 a=kj9zAlcOel0A:10 a=uAbGmPAyUfLL1M3oYAsfuA==:17 a=69EAbJreAAAA:8 a=kviXuzpPAAAA:8 a=2qP8ZJ7foOG8AdM8kNkA:9 a=CjuIK1q_8ugA:10 a=EfJqPEOeqlMA:10 a=4vB-4DCPJfMA:10 a=uAbGmPAyUfLL1M3oYAsfuA==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; none Received: from cox.net (localhost [127.0.0.1]) by serene.no-ip.org (8.14.5/8.14.5) with ESMTP id p9MH92jn021433; Sat, 22 Oct 2011 12:09:02 -0500 (CDT) (envelope-from conrads@cox.net) Date: Sat, 22 Oct 2011 12:08:56 -0500 From: "Conrad J. Sabatier" To: FreeBSD Message-ID: <20111022120856.3eb392e3@cox.net> In-Reply-To: References: X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.6; amd64-portbld-freebsd9.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: carmel_ny@hotmail.com Subject: Re: Configuring IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 17:09:09 -0000 On Sat, 22 Oct 2011 09:56:12 -0400 Carmel wrote: > I am attempting to set up a firewall using IPFW with a stateful > behavior. > > While I have investigated how to set up these rules, I have run into > conflicting opinions as to whether to all or deny "established" > behavior. > > EXAMPLE: (preceded by a "checkstate" rule) > > allow tcp from any to any established > > > Some documentation states that it should be denied and others say it > should be allowed. Neither has given me a convincing reason to follow > either scenario or any real documentation either for that fact. > > If possible, could someone with some real firewall knowledge and > familiarity with IPFW please give me some advice. > > Thanks! > Well, assuming that you're only allowing the connections you actually want to be be established to be setup in the first place, then the logical thing is to then allow any already established connections. All of your tcp "allow" rules should include the setup keyword, as well as keep-state. This way, only connections that are doing a first-time setup will be allowed, and their state will be remembered, for later checking using the check-state keyword. In other words, create setup/keep-state rules for all tcp connections you want to allow, and deny the rest. Just be sure the check-state and established rules precede the deny rules. Similarly, for udp rules, be sure to include the keep-state (but not setup) keyword. Hope this makes sense. :-) -- Conrad J. Sabatier conrads@cox.net