Date: Sat, 22 Oct 2011 12:33:11 -0500 (CDT) From: Robert Bonomi <bonomi@mail.r-bonomi.com> To: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW Message-ID: <201110221733.p9MHXBwF020188@mail.r-bonomi.com> In-Reply-To: <20111022120856.3eb392e3@cox.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Date: Sat, 22 Oct 2011 12:08:56 -0500 > To: FreeBSD <freebsd-questions@freebsd.org> > Subject: Re: Configuring IPFW > > On Sat, 22 Oct 2011 09:56:12 -0400 > Carmel <carmel_ny@hotmail.com> wrote: > > > I am attempting to set up a firewall using IPFW with a stateful > > behavior. > > > > While I have investigated how to set up these rules, I have run into > > conflicting opinions as to whether to all or deny "established" > > behavior. > > > > EXAMPLE: (preceded by a "checkstate" rule) > > > > allow tcp from any to any established > > > > > > Some documentation states that it should be denied and others say it > > should be allowed. Neither has given me a convincing reason to follow > > either scenario or any real documentation either for that fact. > > > > If possible, could someone with some real firewall knowledge and > > familiarity with IPFW please give me some advice. > > > > Thanks! > > > > Well, assuming that you're only allowing the connections you actually > want to be be established to be setup in the first place, then the > logical thing is to then allow any already established connections. This, of course, ignores the possibility that a 'bad guy' might send an initial packet _without_ the 'SYN' flag set. <grin> > All of your tcp "allow" rules should include the setup keyword, as well > as keep-state. This way, only connections that are doing a first-time > setup will be allowed, and their state will be remembered, for later > checking using the check-state keyword. Now *THAT*, done _properly_, closes the aforementioned hole. :)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201110221733.p9MHXBwF020188>