From owner-freebsd-questions@FreeBSD.ORG Sat Oct 22 17:33:26 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC674106564A for ; Sat, 22 Oct 2011 17:33:26 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id 7CFEC8FC14 for ; Sat, 22 Oct 2011 17:33:26 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id p9MHXBwF020188 for freebsd-questions@freebsd.org; Sat, 22 Oct 2011 12:33:11 -0500 (CDT) Date: Sat, 22 Oct 2011 12:33:11 -0500 (CDT) From: Robert Bonomi Message-Id: <201110221733.p9MHXBwF020188@mail.r-bonomi.com> To: freebsd-questions@freebsd.org In-Reply-To: <20111022120856.3eb392e3@cox.net> Subject: Re: Configuring IPFW X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 17:33:26 -0000 > Date: Sat, 22 Oct 2011 12:08:56 -0500 > To: FreeBSD > Subject: Re: Configuring IPFW > > On Sat, 22 Oct 2011 09:56:12 -0400 > Carmel wrote: > > > I am attempting to set up a firewall using IPFW with a stateful > > behavior. > > > > While I have investigated how to set up these rules, I have run into > > conflicting opinions as to whether to all or deny "established" > > behavior. > > > > EXAMPLE: (preceded by a "checkstate" rule) > > > > allow tcp from any to any established > > > > > > Some documentation states that it should be denied and others say it > > should be allowed. Neither has given me a convincing reason to follow > > either scenario or any real documentation either for that fact. > > > > If possible, could someone with some real firewall knowledge and > > familiarity with IPFW please give me some advice. > > > > Thanks! > > > > Well, assuming that you're only allowing the connections you actually > want to be be established to be setup in the first place, then the > logical thing is to then allow any already established connections. This, of course, ignores the possibility that a 'bad guy' might send an initial packet _without_ the 'SYN' flag set. > All of your tcp "allow" rules should include the setup keyword, as well > as keep-state. This way, only connections that are doing a first-time > setup will be allowed, and their state will be remembered, for later > checking using the check-state keyword. Now *THAT*, done _properly_, closes the aforementioned hole. :)