Date: Tue, 24 May 2005 16:12:52 -0400 From: Charles Swiger <cswiger@mac.com> To: Stephane Raimbault <stephane@enertiasoft.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: named error sending response: permision denied Message-ID: <0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5@mac.com> In-Reply-To: <F4C0013C-245C-41AE-9E4C-226829631D84@enertiasoft.com> References: <39F3A41D-9555-452F-8B41-3EA03E1AC460@enertiasoft.com> <1116435784.34699.23.camel@jose> <DBDEAE42-4CD3-4989-AEB8-CF4794942240@enertiasoft.com> <5D5EFEE7-F123-43CB-A40E-7FF7EAF03C07@enertiasoft.com> <428DEB28.5030505@mac.com> <FCDE429D-2518-453D-B0EA-9CF55F539D70@enertiasoft.com> <96966222-05C1-4686-9F07-EA8A43738B4E@mac.com> <F4C0013C-245C-41AE-9E4C-226829631D84@enertiasoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote:
>> I hate to ask something silly, but you do have a check-state rule
>> somewhere, right?
>>
> it's not silly..., what's silly is now I'm asking how would I
> check :) or what would the rule look like.
You've have an "ipfw add check-state" rule somewhere.
>> The rules you've added permit traffic in both directions, which
>> shouldn't be needed unless the stateful matching wasn't working
>> right. Anyway, you don't need to use stateful rules if you permit
>> traffic in both ways, but the possible tradeoff is making the
>> systems more accessible to scanning and some DoS attacks using
>> forged traffic.
>>
>> Not using keep-state with UDP is quite reasonable, but you might
>> consider adding a "keep-state" with your TCP rules for port 53.
>> You should also be aware that your nameservers will want to make
>> outbound connections using TCP themselves sometimes....
>
> you've actually kinda answered the other question I neglected to
> ask... which is, would I really need the keep-state, since it
> seemed to work without it being there when I did my testing earlier
> today. Regarding adding keep-state to my tcp rule... would this
> not do the same thing... ? am I confused... or is it just insecure
> of doing it this way:
>
> # Allow TCP through if setup succeeded
> ${fwcmd} add pass tcp from any to any established
Stateful matching of connections can be more secure than passing any
traffic which is established, but that depends on the other rules
which are being used. However, the IPFW manpage has a good
description of this:
The typical use of dynamic rules is to keep a closed firewall
configura-
tion, but let the first TCP SYN packet from the inside network
install a
dynamic rule for the flow so that packets belonging to that
session will
be allowed through the firewall:
ipfw add check-state
ipfw add allow tcp from my-subnet to any setup keep-state
ipfw add deny tcp from any to any
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0E1A6107-FB85-4D9F-9873-7E5FBE8EB4C5>