Date: Mon, 6 May 2002 02:08:20 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Jens Rehsack <rehsack@liwing.de> Cc: Michael Riexinger <mailinglists@grindking.de>, freebsd-stable@freebsd.org Subject: Re: ipfilter problem Message-ID: <20020506020820.A82377@mail.webmonster.de> In-Reply-To: <3CD5B662.26298116@liwing.de>; from rehsack@liwing.de on Mon, May 06, 2002 at 12:46:58AM %2B0200 References: <20020504223450.GA1025@grind.grind.dom> <20020505152314.B73550@mail.webmonster.de> <20020505133204.GA667@grind.grind.dom> <20020505184630.A76286@mail.webmonster.de> <3CD5B662.26298116@liwing.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--gBBFr7Ir9EOA20Yy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Jens Rehsack(rehsack@liwing.de)@2002.05.06 00:46:58 +0000: > "Karsten W. Rohrbach" wrote: > >=20 > > Michael Riexinger(mailinglists@grindking.de)@2002.05.05 15:32:04 +0000: > > > On Sun May 5 15:23:14 2002, Karsten W. Rohrbach wrote: > > > > the problem can only be analyzed efficiently if you show us the res= t of > > > > the ruleset. anything else is pure guesswork, based on assumptions = about > > > > your ipf configuration. > > > > > > > > regards, > > > > /k > > > Ok, here they are. But I wonder why it worked withot problems with > > > previous versions of FreeBSD/ipfilter. With netstat I can see FIN_WAI= T_1 > > > states to the newsserver. > > > (tcp4 0 0 dialin-212-144-1.49368 news.fu-berlin.d.nntp > > > FIN_WAIT_1) > > > > > > > > > pass in quick on lo0 all > > > pass out quick on lo0 all > > > > > > pass in quick on ed0 all > > > pass out quick on ed0 all > > > > > > pass out quick on isp0 proto tcp/udp from any to any keep state > >=20 > > pass out quick on isp0 proto tcp from any to any flags S/SA keep state > > pass out quick on isp0 proto udp from any to any keep state > I don't use the flags, but my ruleset works. But I have seen many times > (others and me, too) that being confused about the "last rule match" and > the "quick leaves promptly" behaviour. >=20 > I do following: I write all global rules at the top of the file/section, > in this case the 3 lines with "return-unr". Then I specialize in the next > lines using "quick" rules. that's a matter of style, not functionality. i can hardly see the improvements for a 10 line ruleset here. all entries are "quick", so they get matched from top to bottom. the order of processing for non-quick rules is somewhat different (and affects processing speed, but that's not the issue here). having a flat matching strategy in a "personal firewall" style rule set is pretty intuitive, compared to "global"/"quick" mix'n'match or grouped sub rule sets, but hey, it's his dsl/isdn router and no rocket science... opposing to your apparent ideas, i implement firewall policies the following way: - as simple as possible - documented - structured by access groups/protocols/services, or both, or all three - optimized for performance by rule groups, if applicable the main problem here might be that he just had _one_ line for _both_ protocols, tcp and udp, which might lead to trouble in several points. that's a totally different thing. > This works, if I do not write it after the 4th beer. But sometimes even t= hen ;-) =2E..and makes things more complicated by sticking to different rule matching strategies in a set of 10 or some rules. i can see your point with the beer, but what do you do after the 8th one, being confronted with your own rulesets? > > instead of the above one line should work. if it doesn't then give me a > > slap on the head, i'm still a bit drunk from yesterday ;-) > >=20 > > > pass out quick on isp0 proto icmp from any to any keep state > > > > > > pass in quick on isp0 proto tcp from any to any port =3D 80 > > > pass in quick on isp0 proto tcp from any to any port =3D 60000 > > > > > > block return-icmp-as-dest(host-unr) in log quick on isp0 proto icmp f= rom > > > any to any > > > block return-rst in log quick on isp0 proto tcp from any to any > > > block return-icmp(port-unr) in log quick on isp0 proto udp from any to > > > any > > > > >=20 > > 'ipfstat -s' on your box will tell you about state statistics. > >=20 > > when you reload your rule set for testing, you should invoke it like > > 'ipf -Fa -FS -f/etc/ipf.rules' or similar, just to kick out the old > > state table. > >=20 > > 'ipfstat -t' gives you a "top" style display of current states, so you > > can check them in realtime. regards, /k --=20 > Wenn in der Kueche alles stimmt, geht auch die Musik in Ordnung. WebMonster Community Project -- Next Generation Networks GmbH -- All on BSD http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --gBBFr7Ir9EOA20Yy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD4DBQE81cl0s5Nr9N7JSKYRAuRyAJjZGUoxuGwh8QB/BUh0fL+HGue1AJ47gXE/ 5ZYsvydQFIgJZTmOhaU8Qg== =5PA2 -----END PGP SIGNATURE----- --gBBFr7Ir9EOA20Yy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020506020820.A82377>