From owner-freebsd-questions@FreeBSD.ORG  Fri Jul 27 16:26:11 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B84416A41A
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jul 2007 16:26:11 +0000 (UTC)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A20E13C483
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jul 2007 16:26:11 +0000 (UTC)
	(envelope-from martin@dc.cis.okstate.edu)
Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1])
	by dc.cis.okstate.edu (8.13.8/8.13.8) with ESMTP id l6RGQAQd076948
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Jul 2007 11:26:10 -0500 (CDT)
	(envelope-from martin@dc.cis.okstate.edu)
Message-Id: <200707271626.l6RGQAQd076948@dc.cis.okstate.edu>
To: freebsd-questions@freebsd.org
Date: Fri, 27 Jul 2007 11:26:10 -0500
From: Martin McCormick <martin@dc.cis.okstate.edu>
Subject: Please Help with Confusion about ipfw rules. Solved.
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2007 16:26:11 -0000

"fbsd2" writes:
> I use the sample ipfw rules with keep state as shown in the handbook

they do work fine. They just aren't meant for the kind of load
they were under. I needed to know how to get the same
functionality by other means.

	If you use the keep-state directive, high traffic can
basically kill ipfw by running it out of dynamic rule space.


> People on this list don't have ESP so they can't read your mind about what
> rules you have coded.

But they can read down to where it says:

>         ${fwcmd} add pass all from any to ${ip} 53
> 
> and
> 
>         ${fwcmd} add pass all from ${ip} to any 53

It turns out that I didn't catch on to the need for supporting
the reply traffic that each of those two rules generate. This
stateless set of rules solved the problem and does not use up
dynamic rule space.

${fwcmd} add  allow ip from any to ${ip} dst-port 53
${fwcmd} add  allow ip from ${ip} 53 to any // allow reply traffic
${fwcmd} add  allow ip from ${ip} to any dst-port 53
${fwcmd} add  allow ip from any 53 to ${ip} // allow reply traffic