Date: Sun, 5 Dec 1999 21:41:52 -0800 From: Gregory Sutter <gsutter@pobox.com> To: Brian Gallucci <galluccib@yahoo.ie> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW established Message-ID: <19991205214151.Y94590@azazel.zer0.org> In-Reply-To: <19991206011409.10981.qmail@web3005.mail.yahoo.com> References: <19991206011409.10981.qmail@web3005.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 05, 1999 at 05:14:09PM -0800, Brian Gallucci wrote: > I just have one question about the established command > in rc.firewall. > > I have heard that if we add -> > $fwcmd add pass tcp from any to any established > $fwcmd add pass tcp from any to any 20 setup > $fwcmd add pass tcp from any to any 21 setup > $fwcmd add pass tcp from any to any 80 setup > vs > $fwcmd add pass tcp from any 20 to any > $fwcmd add pass tcp from any to any 20 > $fwcmd add pass tcp from any 21 to any > $fwcmd add pass tcp from any to any 21 > > Using the established command will give us better > performance on the firewall, is this correct ? Using the 'established' keyword in this way will stop processing of the firewall rules at that rule, thus saving however-many ns it takes to process the remaining rules in ipfw. Unless there are many rules, the savings is pretty negligible. Using the first set of rules instead of the second also closes a MAJOR hole. With the second set of rules in place, a person could make a connection from port 20 on their machine (which they control) to _any_ port on a machine behind the firewall. You _cannot_ use source port filtering as a means of access control, since the controller of the source host can use any port that they choose. Regards, Greg -- Gregory S. Sutter Failing sardine factory cans employees! mailto:gsutter@pobox.com http://www.pobox.com/~gsutter/ PGP DSS public key 0x40AE3052 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991205214151.Y94590>