Date: Tue, 22 Jan 2002 20:55:52 -0500 (EST) From: Scott Nolde <scott@smnolde.com> To: Ray Kohler <rkohler1@cox.rr.com> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Some questions about ipfw Message-ID: <20020122204221.F48937-100000@bsd.smnolde.com> In-Reply-To: <097f55727011712FE8@mail8.mgfairfax.rr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus sayeth the previous author: >Date: Tue, 22 Jan 2002 20:31:12 -0500 >From: Ray Kohler <rkohler1@cox.rr.com> >To: Scott Nolde <scott@smnolde.com> >Cc: freebsd-questions@FreeBSD.ORG >Subject: Re: Some questions about ipfw > >On Tuesday 22 January 2002 08:04 pm, Scott Nolde wrote: >> Thus sayeth the previous author: >> >Date: Tue, 22 Jan 2002 19:33:06 -0500 >> >From: Ray Kohler <rkohler1@cox.rr.com> >> >To: freebsd-questions@FreeBSD.ORG >> >Subject: Some questions about ipfw >> >> >I have 3 questions: >> > >> >1) Why does the rc.firewall script use "setup" and >> > "established" rules for tcp instead of keep-state like it does >> > for udp? >> >> Setup will allow the SYN packet through and established lets the >> rest of the session's packets through. > >Sure, that's what the man page says, but what's the advantage of >one over the other? The Setup packet is like someone knocking on your door. If you want to let that person in you open it and you have established a communication session provided. Usually you allow access to services by filtering in the SYN packet going out or coming in to your machine. If you let all SYN packets in one rule and then later allow established connections you have a better way of controlling which services your machine accepts connections to and from. Knowing the difference bewtween packets with a SYN, ACK, or RST bit is basic TCP/IP. See http://www.mostgraveconcern.com/freebsd/ipfw.html for a few comments around this issue. That example is very similar to rc.firewall. There is no advantage in using setup or established except there is a right way to use one or the other. There _is_ a difference. Slight, but noticable and documented. > >> >3) I'm having trouble fetching ports even with >> >FETCH_CMD= fetch -p set in make.conf. Eventually I get the >> > file, but not until after a lot of servers are tried. In my >> > logs I see a lot of: >> > >> >Jan 22 18:19:47 B1M1X9 /kernel: ipfw: 600 Deny TCP >> > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 Jan 22 >> > 18:19:49 B1M1X9 /kernel: ipfw: 600 Deny TCP 130.94.149.162:21 >> > 24.163.113.25:1032 in via rl0 Jan 22 18:19:59 B1M1X9 /kernel: >> > ipfw: 600 Deny TCP 199.232.41.9:20167 24.163.113.25:1039 in >> > via rl0 Jan 22 18:20:23 B1M1X9 /kernel: ipfw: 600 Deny TCP >> > 199.232.41.9:20167 24.163.113.25:1039 in via rl0 >> > >> >where the "from" IPs belong to the about a dozen ftp servers >> > I've tried, and the packet arrives a few minutes after fetch >> > has given up on that server. (Why are these servers contacting >> > me anyway when I'm using passive ftp, anyway?) >> >> This is a normal response after instituting the rules you've set >> forth. > >You mean difficulty fetching distfiles? packets arriving late? >random active ftp? packets like these being denied? What? > >(Sorry about the tone of this; I guess I'm a bit flabbergasted.) I wouldn't say flabbergasted, but maybe a little confused, but not without reason. I'm surprised if you don't have more problems with any kind of data connection with that machine. You're trying to roll your own firewall without knowledge of firewalls. Don't feel bad, I'm ot an expert on them either, but if you try using the CLIENT firewall setup in /etc/rc.firewall (rememeber to edit it) and compare the results between your firewall and the rc.firewall example you will see a difference. Then compare the ipfw rules and learn from them. >Ray Kohler Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122204221.F48937-100000>