From owner-freebsd-questions@FreeBSD.ORG  Sat Oct 22 17:17:50 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EDE441065670
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 17:17:50 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-ww0-f42.google.com (mail-ww0-f42.google.com [74.125.82.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 8D1DE8FC12
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 17:17:50 +0000 (UTC)
Received: by wwn22 with SMTP id 22so2066691wwn.1
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 10:17:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.159.81 with SMTP id r59mr1041642wek.28.1319303869039; Sat,
	22 Oct 2011 10:17:49 -0700 (PDT)
Received: by 10.180.81.193 with HTTP; Sat, 22 Oct 2011 10:17:49 -0700 (PDT)
In-Reply-To: <20111022120856.3eb392e3@cox.net>
References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl>
	<20111022120856.3eb392e3@cox.net>
Date: Sat, 22 Oct 2011 10:17:49 -0700
Message-ID: <CAHu1Y71K93PbU+Dt64KaB7ckoARSeFredQM7wtrW8YtAELMZPg@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: "Conrad J. Sabatier" <conrads@cox.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: carmel_ny@hotmail.com, FreeBSD <freebsd-questions@freebsd.org>
Subject: Re: Configuring IPFW
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2011 17:17:51 -0000

On Sat, Oct 22, 2011 at 10:08 AM, Conrad J. Sabatier <conrads@cox.net> wrote:

>
> Similarly, for udp rules, be sure to include the keep-state (but not
> setup) keyword.
>

RIght - if you're just protecting a single host, for example, your
ruleset might be something like

ipfw add 1000 allow ip from any to any via lo0
ipfw add 1100 check-state
ipfw add 1200 allow tcp from me to any setup keep-state
ipfw add 1300 allow udp from me to any keep-state
# stateful rules for ICMP sometimes work, and sometimes don't -
traceroute for example
ipfw add 1400 allow icmp from me to any
ipfw add 1500 allow icmp from any to me icmptypes 0,3,8,11
# if you don't want to permit inbound echo requests, then use the next
one instead
# ipfw add 1500 allow icmp from any to me icmptypes 0,3,11

ipfw add 1600 deny ip from any to any


There are sysctl variables you may want to look at: sysctl net.inet.ip.fw

These are described in the man page, and some of these affect the
behavior of dynamic rule sets.  You generally don't need to worry
about them for outbound connections, but they are critical for inbound
connections - it's trivial to DOS a firewall with dynamic rules.

Regards,

M