RE: Please Help with Confusion about ipfw rules.
I use the sample ipfw rules with keep state as shown in the handbook
firewall section.
People on this list don't have ESP so they can't read your mind about what
rules you have coded.
Posting your ipfw rule set will go a long way to getting a response from
readers of this list.
That being said I recommend you read the ipfw section of the handbook and
use the sample rules listed there.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Martin McCormick
Sent: Thursday, July 26, 2007 10:15 AM
To: freebsd-questions@freebsd.org
Subject: Please Help with Confusion about ipfw rules.
This is a situation where I thought I knew more than I
actually do. I set up a new domain name server with a
client-type firewall after having tested it first, but there is
nothing like hundreds of thousands of packets per hour to show
the weak spots.
I made the mistake of setting up keep-state rules both
coming and going and I now see ipfw complaining frequently about
too many dynamic rules. All I am really trying to do is give
crackers a lot of nothing to look at when scanning the ports on
the system. It isn't doing any NAT or routing, etc. I am not
sure if I really need any keep-state rules. The DNS needs to be
accessible to the world and be able to talk to the world on port
53 and that is all as far as bind is concerned.
What I am confused about is when I actually need
keep-state rules and when a simple rule like:
${fwcmd} add pass all from any to ${ip} 53
and
${fwcmd} add pass all from ${ip} to any 53
That theoretically should leave port 53 wide open to all types
of in-bound and out-bound traffic.
Fortunately, the new system is still working, but I am afraid we
might be dropping some packets so I need to modify the port 53
access.
Thanks for your help.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Please Help with Confusion about ipfw rules. Solved.
fbsd2 writes:
I use the sample ipfw rules with keep state as shown in the handbook
they do work fine. They just aren't meant for the kind of load
they were under. I needed to know how to get the same
functionality by other means.
If you use the keep-state directive, high traffic can
basically kill ipfw by running it out of dynamic rule space.
People on this list don't have ESP so they can't read your mind about what
rules you have coded.
But they can read down to where it says:
${fwcmd} add pass all from any to ${ip} 53
and
${fwcmd} add pass all from ${ip} to any 53
It turns out that I didn't catch on to the need for supporting
the reply traffic that each of those two rules generate. This
stateless set of rules solved the problem and does not use up
dynamic rule space.
${fwcmd} add allow ip from any to ${ip} dst-port 53
${fwcmd} add allow ip from ${ip} 53 to any // allow reply traffic
${fwcmd} add allow ip from ${ip} to any dst-port 53
${fwcmd} add allow ip from any 53 to ${ip} // allow reply traffic
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Please Help with Confusion about ipfw rules.
This is a situation where I thought I knew more than I
actually do. I set up a new domain name server with a
client-type firewall after having tested it first, but there is
nothing like hundreds of thousands of packets per hour to show
the weak spots.
I made the mistake of setting up keep-state rules both
coming and going and I now see ipfw complaining frequently about
too many dynamic rules. All I am really trying to do is give
crackers a lot of nothing to look at when scanning the ports on
the system. It isn't doing any NAT or routing, etc. I am not
sure if I really need any keep-state rules. The DNS needs to be
accessible to the world and be able to talk to the world on port
53 and that is all as far as bind is concerned.
What I am confused about is when I actually need
keep-state rules and when a simple rule like:
${fwcmd} add pass all from any to ${ip} 53
and
${fwcmd} add pass all from ${ip} to any 53
That theoretically should leave port 53 wide open to all types
of in-bound and out-bound traffic.
Fortunately, the new system is still working, but I am afraid we
might be dropping some packets so I need to modify the port 53
access.
Thanks for your help.
Martin McCormick WB5AGZ Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
