From owner-freebsd-stable Sun Dec 10 18: 2:19 2000 From owner-freebsd-stable@FreeBSD.ORG Sun Dec 10 18:02:11 2000 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 1DCDF37B402 for ; Sun, 10 Dec 2000 18:02:05 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id A42762B2B1; Sun, 10 Dec 2000 20:02:04 -0600 (CST) Date: Sun, 10 Dec 2000 20:02:04 -0600 From: Bill Fumerola To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= Cc: freebsd-stable@freebsd.org Subject: Re: IPFIREWALL or IPFILTER? Message-ID: <20001210200204.I86825@elvis.mu.org> References: <00dd01c05e2e$e42a0700$0b6cffc8@infolink.com.br> <20001209112247.A22773@diabolic-cow.chatgris.net> <002301c062bd$2aeb0440$0b6cffc8@infolink.com.br> <20001210202817.C22773@diabolic-cow.chatgris.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20001210202817.C22773@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Sun, Dec 10, 2000 at 08:28:17PM +0100 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: billf@elvis.mu.org Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Dec 10, 2000 at 08:28:17PM +0100, Rémi Guyomarch wrote: > Can you do statefull filtering of TCP, UDP and ICMP streams with ipfw > ? (this includes icmp errors and fragmented packets [ADSL anyone ? ...]). I'm not sure about the ICMP part, but the tcp and udp work. > Does the TCP state filtering engine in ipfw actually checks sequence > numbers and window sizes ? No, but that would be trivial to implement(at least window sizes). > Is there something like "block return-icmp-as-dest (port-unr) ..." in > ipfw ? man ipfw > Is there a concept similiar to the head/group thing in ipfw ? After some research in ipf(5) as to what "the head/group thing" was, it seems you could produce the same type of functionality with: (rules are intentionally stupid and shouldn't be used) 300 skipto 1000 tcp from any to any 400 skipto 2000 udp from any to any 500 skipto 3000 icmp from any to any [...] 1000 deny tcp from badguy to goodguy 1010 deny tcp from any to any tcpseq 0 tcpoptions !mss 1999 allow ip from any to any 2001 pass udp from nameserver to me 2500 deny udp from badmrudpflooder to me 2999 allow ip from any to any 3000 allow icmp from me to any 3050 deny icmp from any to any 3999 allow ip from any to any #not needed [...] 65535 allow ip from any to any The only thing different from ipf/ipfw is that ipf seems to use its own namespace for such things, while ipfw abuses rule numbering. > Can you save/restore to/from disk filter and NAT state entries ? for filters: man vi for state entries: no > Can you redirect traffic to many internal boxes with a round-robin > mechanism ? man natd -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message