Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 May 2001 18:46:10 -0700
From:      "Earl A. Killian" <>
Subject:   keep-state questions
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
I had an ipfw firewall that was working fine without using state
(e.g. based on /etc/rc.firewall).  I decided to "upgrade" to using
check-state/keep-state to avoid the potential problems of static
rules.  I did not find any documentation, howtos, etc. on how to do
this.  I simply did what I considered the obvious thing, but it did
not work right.  Although I have analyzed the problem and understand
it, I am curious if anyone has any examples of the best way to do
this.  The fix I come up with may not be as optimal as community
wisdom has invented.

My non-working first attempt boiled down to
  <<anti-spoofing rules>>
  divert natd all from any to any via ${oif}
  <<filter connection setups with keep-state on the ones allowed>>
The basic problem is that the firewall is invoked twice, on both
input and output.  A host on the inside initiates a connection by
sending a SYN packet from INSIDE-IP to OUTSIDE-IP.  This was accepted
via one of the filters and a keep-state was done.  Next, the kernel
determines that the packet is destined for outside, so it is run
through the rules a second time on the way out.  This time it is
diverted to natd which rewrites it to a packet from OIF-IP to
OUTSIDE-IP.  Another dynamic rule is created for this by a susequent
keep-state.  When the SYN ACK comes back from OUTSIDE-IP to GATE, it
is diverted on input to natd, which rewrites it as OUTSIDE-IP to
INSIDE-IP.  This hits the check-state and is accepted by the first
dynamic rule created above, and ups the lifetime of the rule to 1000s.
However, the second dynamic rule created above will eventually time
out (it has only a 20s lifetime because it never sees the SYN ACK), at
which point the connection is blocked (further packets from INSIDE-IP
to OUTSIDE-IP will be dropped on the floor on output).

One way to fix this would be to augment the rules to accept anything
output from the gateway to the internet:
  <<anti-spoofing rules>>
  divert natd all from any to any via ${oif}
  allow all from ${oip} to any out xmit ${oif}
  <<filter connection setups with keep-state on the ones allowed>>
This will prevent the need for the second dynamic rule.  However, it
seems to compromise security somewhat since it is fairly permissive,
and generally one follows the rule that anything not required is


To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>