Date: Thu, 30 Jul 1998 19:31:54 -0400 (EDT) From: spork <spork@super-g.com> To: questions@FreeBSD.ORG Subject: IPFilter and "stateful inspection"(TM) Message-ID: <Pine.BSF.4.00.9807301926110.18364-100000@super-g.inch.com>
next in thread | raw e-mail | index | archive | help
Hello, I saw a post on the Cisco list regarding routers vs. PCs, and someone had mentioned doing "stateful inspection" (a'la Firewall-1) under FreeBSD. He pointed to IPFilter (http://coombs.anu.edu.au/~avalon/ip-filter.html). Looking at this snippet is it saying what I think it says? Which is "throw away FW-1 for your cheap clients and install IPFilter and FBSD on a PC"?? From what I know of FW-1, it keeps track ("state") of outgoing connections, ie: user goes to www.news.com, firewall makes a note of it, opens a hole in the packet filter to let the return packets from www.news.com in and then closes the hole. Roughly... So does that sound like what this describes? If so, that rocks so hard I might wet myself. Opinions? Questions? IPFW vs. IPFilter rants? IPFilter will be in 3.0 if memory serves, correct? [snippet] 4. keep state Q. What does "keep state" actually do ? Is it useful ? A. First, yes, it is useful. What it does is allows you to only allow TCP packets through your firewall which are recognised as being part of an established connection rather than just arbitary TCP packets which can be used to perform "stealth scanning". In terms of rules, the following: pass in proto tcp all block out proto tcp all block in quick proto tcp all flags S/SA pass in quick from any to any port = smtp flags S/SA pass out proto tcp from any port = smtp to any can be replaced by block in proto tcp all block out proto tcp all pass in quick proto tcp from any to any port = smtp flags S/SA keep state "keep state" automatically matches packets going in the reverse direction (usually out) or on other interfaces without needing explicit rules. For UDP, it will automatically allow packets in which are the "reverse" of packets that have already been allowed through, without needing to allow too many packets through. For example, the following could be used for DNS clients: block out proto udp all block in proto udp all pass out proto udp from any port > 1024 to any port = 53 pass in proto udp from any port = 53 to any port > 1024 which allows through a LOT of unwanted packets. This can be effectively replaced with the following: block out proto udp all block in proto udp all pass in proto udp from any to any port = 53 keep state [/snippet] Charles Charles Sprickman spork@super-g.com ---- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9807301926110.18364-100000>