Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jul 2007 08:36:41 -0400
From:      "fbsd2" <fbsd2@a1poweruser.com>
To:        "Martin McCormick" <martin@dc.cis.okstate.edu>, <freebsd-questions@freebsd.org>
Subject:   RE: Please Help with Confusion about ipfw rules.
Message-ID:  <NBECLJEKGLBKHHFFANMBEEFLCFAA.fbsd2@a1poweruser.com>
In-Reply-To: <200707261415.l6QEFNG1063819@dc.cis.okstate.edu>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
I use the sample ipfw rules with keep state as shown in the handbook
firewall section.
People on this list don't have ESP so they can't read your mind about what
rules you have coded.
Posting your ipfw rule set will go a long way to getting a response from
readers of this list.
That being said I recommend you read the ipfw section of the handbook and
use the sample rules listed there.


-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Martin McCormick
Sent: Thursday, July 26, 2007 10:15 AM
To: freebsd-questions@freebsd.org
Subject: Please Help with Confusion about ipfw rules.

        This is a situation where I thought I knew more than I
actually do. I set up a new domain name server with a
client-type firewall after having tested it first, but there is
nothing like hundreds of thousands of packets per hour to show
the weak spots.

        I made the mistake of setting up keep-state rules both
coming and going and I now see ipfw complaining frequently about
too many dynamic rules. All I am really trying to do is give
crackers a lot of nothing to look at when scanning the ports on
the system. It isn't doing any NAT or routing, etc. I am not
sure if I really need any keep-state rules. The DNS needs to be
accessible to the world and be able to talk to the world on port
53 and that is all as far as bind is concerned.

        What I am confused about is when I actually need
keep-state rules and when a simple rule like:

        ${fwcmd} add pass all from any to ${ip} 53

and

        ${fwcmd} add pass all from ${ip} to any 53

That theoretically should leave port 53 wide open to all types
of in-bound and out-bound traffic.

Fortunately, the new system is still working, but I am afraid we
might be dropping some packets so I need to modify the port 53
access.

        Thanks for your help.

Martin McCormick WB5AGZ  Stillwater, OK
Systems Engineer
OSU Information Technology Department Network Operations Group
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?NBECLJEKGLBKHHFFANMBEEFLCFAA.fbsd2>