RE: Please Help with Confusion about ipfw rules.
I use the sample ipfw rules with keep state as shown in the handbook firewall section. People on this list don't have ESP so they can't read your mind about what rules you have coded. Posting your ipfw rule set will go a long way to getting a response from readers of this list. That being said I recommend you read the ipfw section of the handbook and use the sample rules listed there. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Martin McCormick Sent: Thursday, July 26, 2007 10:15 AM To: freebsd-questions@freebsd.org Subject: Please Help with Confusion about ipfw rules. This is a situation where I thought I knew more than I actually do. I set up a new domain name server with a client-type firewall after having tested it first, but there is nothing like hundreds of thousands of packets per hour to show the weak spots. I made the mistake of setting up keep-state rules both coming and going and I now see ipfw complaining frequently about too many dynamic rules. All I am really trying to do is give crackers a lot of nothing to look at when scanning the ports on the system. It isn't doing any NAT or routing, etc. I am not sure if I really need any keep-state rules. The DNS needs to be accessible to the world and be able to talk to the world on port 53 and that is all as far as bind is concerned. What I am confused about is when I actually need keep-state rules and when a simple rule like: ${fwcmd} add pass all from any to ${ip} 53 and ${fwcmd} add pass all from ${ip} to any 53 That theoretically should leave port 53 wide open to all types of in-bound and out-bound traffic. Fortunately, the new system is still working, but I am afraid we might be dropping some packets so I need to modify the port 53 access. Thanks for your help. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Network Operations Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please Help with Confusion about ipfw rules. Solved.
fbsd2 writes: I use the sample ipfw rules with keep state as shown in the handbook they do work fine. They just aren't meant for the kind of load they were under. I needed to know how to get the same functionality by other means. If you use the keep-state directive, high traffic can basically kill ipfw by running it out of dynamic rule space. People on this list don't have ESP so they can't read your mind about what rules you have coded. But they can read down to where it says: ${fwcmd} add pass all from any to ${ip} 53 and ${fwcmd} add pass all from ${ip} to any 53 It turns out that I didn't catch on to the need for supporting the reply traffic that each of those two rules generate. This stateless set of rules solved the problem and does not use up dynamic rule space. ${fwcmd} add allow ip from any to ${ip} dst-port 53 ${fwcmd} add allow ip from ${ip} 53 to any // allow reply traffic ${fwcmd} add allow ip from ${ip} to any dst-port 53 ${fwcmd} add allow ip from any 53 to ${ip} // allow reply traffic ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please Help with Confusion about ipfw rules.
This is a situation where I thought I knew more than I actually do. I set up a new domain name server with a client-type firewall after having tested it first, but there is nothing like hundreds of thousands of packets per hour to show the weak spots. I made the mistake of setting up keep-state rules both coming and going and I now see ipfw complaining frequently about too many dynamic rules. All I am really trying to do is give crackers a lot of nothing to look at when scanning the ports on the system. It isn't doing any NAT or routing, etc. I am not sure if I really need any keep-state rules. The DNS needs to be accessible to the world and be able to talk to the world on port 53 and that is all as far as bind is concerned. What I am confused about is when I actually need keep-state rules and when a simple rule like: ${fwcmd} add pass all from any to ${ip} 53 and ${fwcmd} add pass all from ${ip} to any 53 That theoretically should leave port 53 wide open to all types of in-bound and out-bound traffic. Fortunately, the new system is still working, but I am afraid we might be dropping some packets so I need to modify the port 53 access. Thanks for your help. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Network Operations Group ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]