Date: Fri, 17 Sep 2004 12:20:09 -0500 From: Norm Vilmer <norm@etherealconsulting.com> To: Dave McCammon <davemac11@yahoo.com> Cc: questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <414B1CC9.7040600@etherealconsulting.com> In-Reply-To: <20040917162811.30280.qmail@web41406.mail.yahoo.com> References: <20040917162811.30280.qmail@web41406.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dave McCammon wrote: > --- Bill Moran <wmoran@potentialtech.com> wrote: > > >>Rob <spamrefuse@yahoo.com> wrote: >> >> >>>Norm Vilmer wrote: >>> >>>>Here are the rules that I have that keep-state >> >>on the outside interface: >> >>>>#For DNS >>>>add 01300 pass udp from ${oip} to any 53 >> >>keep-state >> >>>># For NTP >>>>add 01400 pass udp from ${oip} to any 123 >> >>keep-state >> >>>># For VPN >>>>add 01500 pass gre from any to any keep-state >>>># For ICMP >>>>add 01600 pass icmp from any to any via ${oip} >> >>keep-state >> >>>>Do you think these are causing the problem? >>> >>>Aren't udp and icmp state-less protocols? >>>In that case, keep-state would not make much >> >>sense. >> >>>I use 'keep-state' only for tcp rules. >>> >>>I may be wrong, moreover, I haven't followed the >> >>full thread :). >> >>You'll generally need to keep state on UDP when you >>play online games. >> >>If you're smart, you don't allow arbitrary UDP >>packets from the outside >>world into your network, but if you're playing >>Unreal or something, then >>all communication is via UDP, and you won't be able >>to play. >> >>The best solution is to allow all UDP traffic to >>_leave_, while keeping >>state. the keep-state remembers the ip/port >>information on the outgoing >>packets, and thus allows return packets to get back >>in (by matching the >>ip/port pair). >> >>Now, when you know the port, it doesn't really make >>sense to use >>keep-state, and all you're really doing is spamming >>your state tables. >> >>If you look in the /etc/rc.firewall that ships with >>FreeBSD, you'll see >>these rules (designed to handle running a DNS >>server): >> # Allow access to our DNS >> ${fwcmd} add pass tcp from any to ${oip} 53 >>setup >> ${fwcmd} add pass udp from any to ${oip} 53 >> ${fwcmd} add pass udp from ${oip} 53 to any >> >>Granted, it's three rules instead of 1, but it does >>not use your state >>tables unnecessarily (sp?) >> >>HTH. >> >> > > > Sorry, wasn't done with last message. > > Look at your dynamic table, if you are getting DoS'd, > try using the "limit" option instead of keep-state or > tweak the net.inet.ip.fw.dyn_(*)_lifetime to a level > that suits your needs. > > Or, rewrite your rules removing the keep-state options. > > > > _______________________________ > Do you Yahoo!? > Declare Yourself - Register online to vote today! > http://vote.yahoo.com > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > I think I follow you. I am going to have to play around with the DNS rules supplied with rc.firewall to see if I can get them to work. Just putting them in as given, my machines inside the firewall can not do nslookup's. I am a little afraid to play with the net.inet.ip.fw.dyn_(*)_lifetime level, I have seen a number of posting where people increase the value, mine is set to 300 (default). I did remove keep-state from all my rules excpet the gre rule. I also set the net.inet.ip.fw.dyn_max to 8192 which helps. Maybe I need a good book on the subject. Any suggestions? Norm Vilmer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414B1CC9.7040600>