Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 Sep 2004 12:20:09 -0500
From:      Norm Vilmer <norm@etherealconsulting.com>
To:        Dave McCammon <davemac11@yahoo.com>
Cc:        questions@freebsd.org
Subject:   Re: Too many dynamic rules, sorry
Message-ID:  <414B1CC9.7040600@etherealconsulting.com>
In-Reply-To: <20040917162811.30280.qmail@web41406.mail.yahoo.com>
References:  <20040917162811.30280.qmail@web41406.mail.yahoo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Dave McCammon wrote:

> --- Bill Moran <wmoran@potentialtech.com> wrote:
> 
> 
>>Rob <spamrefuse@yahoo.com> wrote:
>>
>>
>>>Norm Vilmer wrote:
>>>
>>>>Here are the rules that I have that keep-state
>>
>>on the outside interface:
>>
>>>>#For DNS
>>>>add 01300 pass udp from ${oip} to any 53
>>
>>keep-state
>>
>>>># For NTP
>>>>add 01400 pass udp from ${oip} to any 123
>>
>>keep-state
>>
>>>># For VPN
>>>>add 01500 pass gre from any to any keep-state
>>>># For ICMP
>>>>add 01600 pass icmp from any to any via ${oip}
>>
>>keep-state
>>
>>>>Do you think these are causing the problem?
>>>
>>>Aren't udp and icmp state-less protocols?
>>>In that case, keep-state would not make much
>>
>>sense.
>>
>>>I use 'keep-state' only for tcp rules.
>>>
>>>I may be wrong, moreover, I haven't followed the
>>
>>full thread :).
>>
>>You'll generally need to keep state on UDP when you
>>play online games.
>>
>>If you're smart, you don't allow arbitrary UDP
>>packets from the outside
>>world into your network, but if you're playing
>>Unreal or something, then
>>all communication is via UDP, and you won't be able
>>to play.
>>
>>The best solution is to allow all UDP traffic to
>>_leave_, while keeping
>>state.  the keep-state remembers the ip/port
>>information on the outgoing
>>packets, and thus allows return packets to get back
>>in (by matching the
>>ip/port pair).
>>
>>Now, when you know the port, it doesn't really make
>>sense to use
>>keep-state, and all you're really doing is spamming
>>your state tables.
>>
>>If you look in the /etc/rc.firewall that ships with
>>FreeBSD, you'll see
>>these rules (designed to handle running a DNS
>>server):
>>        # Allow access to our DNS
>>        ${fwcmd} add pass tcp from any to ${oip} 53
>>setup
>>        ${fwcmd} add pass udp from any to ${oip} 53
>>        ${fwcmd} add pass udp from ${oip} 53 to any
>>
>>Granted, it's three rules instead of 1, but it does
>>not use your state
>>tables unnecessarily (sp?)
>>
>>HTH.
>>
>>
> 
> 
> Sorry, wasn't done with last message.
> 
> Look at your dynamic table, if you are getting DoS'd,
> try using the "limit" option instead of keep-state or
> tweak the net.inet.ip.fw.dyn_(*)_lifetime to a level
> that suits your needs.
> 
> Or, rewrite your rules removing the keep-state options.
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 
I think I follow you. I am going to have to play around with the
DNS rules supplied with rc.firewall to see if I can get them to
work. Just putting them in as given, my machines inside the firewall
can not do nslookup's.

I am a little afraid to play with the net.inet.ip.fw.dyn_(*)_lifetime
level, I have seen a number of posting where people increase the value,
mine is set to 300 (default). I did remove keep-state from all my rules
excpet the gre rule. I also set the net.inet.ip.fw.dyn_max to 8192 which
helps.

Maybe I need a good book on the subject. Any suggestions?

Norm Vilmer




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414B1CC9.7040600>