Date: Sat, 22 Oct 2011 10:17:49 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: "Conrad J. Sabatier" <conrads@cox.net> Cc: carmel_ny@hotmail.com, FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Configuring IPFW Message-ID: <CAHu1Y71K93PbU%2BDt64KaB7ckoARSeFredQM7wtrW8YtAELMZPg@mail.gmail.com> In-Reply-To: <20111022120856.3eb392e3@cox.net> References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl> <20111022120856.3eb392e3@cox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier <conrads@cox.net> wrote: > > Similarly, for udp rules, be sure to include the keep-state (but not > setup) keyword. > RIght - if you're just protecting a single host, for example, your ruleset might be something like ipfw add 1000 allow ip from any to any via lo0 ipfw add 1100 check-state ipfw add 1200 allow tcp from me to any setup keep-state ipfw add 1300 allow udp from me to any keep-state # stateful rules for ICMP sometimes work, and sometimes don't - traceroute for example ipfw add 1400 allow icmp from me to any ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11 # if you don't want to permit inbound echo requests, then use the next one instead # ipfw add 1500 allow icmp from any to me icmptypes 0,3,11 ipfw add 1600 deny ip from any to any There are sysctl variables you may want to look at: sysctl net.inet.ip.fw These are described in the man page, and some of these affect the behavior of dynamic rule sets. You generally don't need to worry about them for outbound connections, but they are critical for inbound connections - it's trivial to DOS a firewall with dynamic rules. Regards, M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y71K93PbU%2BDt64KaB7ckoARSeFredQM7wtrW8YtAELMZPg>