Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 May 2002 02:08:20 +0200
From:      "Karsten W. Rohrbach" <karsten@rohrbach.de>
To:        Jens Rehsack <rehsack@liwing.de>
Cc:        Michael Riexinger <mailinglists@grindking.de>, freebsd-stable@freebsd.org
Subject:   Re: ipfilter problem
Message-ID:  <20020506020820.A82377@mail.webmonster.de>
In-Reply-To: <3CD5B662.26298116@liwing.de>; from rehsack@liwing.de on Mon, May 06, 2002 at 12:46:58AM %2B0200
References:  <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> <20020505184630.A76286@mail.webmonster.de> <3CD5B662.26298116@liwing.de>

next in thread | previous in thread | raw e-mail | index | archive | help

--gBBFr7Ir9EOA20Yy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Jens Rehsack(rehsack@liwing.de)@2002.05.06 00:46:58 +0000:
> "Karsten W. Rohrbach" wrote:
> >=20
> > Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000:
> > > On Sun May  5 15:23:14 2002, Karsten W. Rohrbach wrote:
> > > > the problem can only be analyzed efficiently if you show us the res=
t of
> > > > the ruleset. anything else is pure guesswork, based on assumptions =
about
> > > > your ipf configuration.
> > > >
> > > > regards,
> > > > /k
> > > Ok, here they are. But I wonder why it worked withot problems with
> > > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAI=
T_1
> > > states to the newsserver.
> > > (tcp4       0      0  dialin-212-144-1.49368 news.fu-berlin.d.nntp
> > > FIN_WAIT_1)
> > >
> > >
> > > pass in quick on lo0 all
> > > pass out quick on lo0 all
> > >
> > > pass in quick on ed0 all
> > > pass out quick on ed0 all
> > >
> > > pass out quick on isp0 proto tcp/udp from any to any keep state
> >=20
> > pass out quick on isp0 proto tcp from any to any flags S/SA keep state
> > pass out quick on isp0 proto udp from any to any keep state
> I don't use the flags, but my ruleset works. But I have seen many times
> (others and me, too) that being confused about the "last rule match" and
> the "quick leaves promptly" behaviour.
>=20
> I do following: I write all global rules at the top of the file/section,
> in this case the 3 lines with "return-unr". Then I specialize in the next
> lines using "quick" rules.

that's a matter of style, not functionality. i can hardly see the
improvements for a 10 line ruleset here. all entries are "quick", so
they get matched from top to bottom. the order of processing for
non-quick rules is somewhat different (and affects processing speed,
but that's not the issue here). having a flat matching strategy in a
"personal firewall" style rule set is pretty intuitive, compared to
"global"/"quick" mix'n'match or grouped sub rule sets, but hey, it's his
dsl/isdn router and no rocket science...

opposing to your apparent ideas, i implement firewall policies the
following way:
- as simple as possible
- documented
- structured by access groups/protocols/services, or both, or all three
- optimized for performance by rule groups, if applicable

the main problem here might be that he just had _one_ line for _both_
protocols, tcp and udp, which might lead to trouble in several points.
that's a totally different thing.

> This works, if I do not write it after the 4th beer. But sometimes even t=
hen ;-)

=2E..and makes things more complicated by sticking to different rule
matching strategies in a set of 10 or some rules. i can see your point
with the beer, but what do you do after the 8th one, being confronted
with your own rulesets?

> > instead of the above one line should work. if it doesn't then give me a
> > slap on the head, i'm still a bit drunk from yesterday ;-)
> >=20
> > > pass out quick on isp0 proto icmp from any to any keep state
> > >
> > > pass in quick on isp0 proto tcp from any to any port =3D 80
> > > pass in quick on isp0 proto tcp from any to any port =3D 60000
> > >
> > > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp f=
rom
> > > any to any
> > > block return-rst in log quick on isp0 proto tcp from any to any
> > > block return-icmp(port-unr) in log quick on isp0 proto udp from any to
> > > any
> > >
> >=20
> > 'ipfstat -s' on your box will tell you about state statistics.
> >=20
> > when you reload your rule set for testing, you should invoke it like
> > 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old
> > state table.
> >=20
> > 'ipfstat -t' gives you a "top" style display of current states, so you
> > can check them in realtime.

regards,
/k

--=20
> Wenn in der Kueche alles stimmt, geht auch die Musik in Ordnung.
WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD
http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n=
et/
GnuPG:   0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4  A113 B393 6BF4 DEC9 48A6
REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE  DF22 3340 4F4E 2964 BF46
REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C  5F 0B E0 6B 4D CD 8C 44
My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/
Please do not remove my address from To: and Cc: fields in mailing lists. 1=
0x

--gBBFr7Ir9EOA20Yy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org

iD4DBQE81cl0s5Nr9N7JSKYRAuRyAJjZGUoxuGwh8QB/BUh0fL+HGue1AJ47gXE/
5ZYsvydQFIgJZTmOhaU8Qg==
=5PA2
-----END PGP SIGNATURE-----

--gBBFr7Ir9EOA20Yy--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020506020820.A82377>