Date: Fri, 17 Sep 2004 11:59:43 -0500 From: Norm Vilmer <norm@etherealconsulting.com> To: Bill Moran <wmoran@potentialtech.com> Cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <414B17FF.9030107@etherealconsulting.com> In-Reply-To: <20040917114427.24aac112.wmoran@potentialtech.com> References: <414A6E9C.4060708@etherealconsulting.com> <020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <414AFA74.4070001@yahoo.com> <20040917114427.24aac112.wmoran@potentialtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Moran wrote:
> Rob <spamrefuse@yahoo.com> wrote:
>
>
>>Norm Vilmer wrote:
>>
>>>Here are the rules that I have that keep-state on the outside interface:
>>>
>>>#For DNS
>>>add 01300 pass udp from ${oip} to any 53 keep-state
>>># For NTP
>>>add 01400 pass udp from ${oip} to any 123 keep-state
>>># For VPN
>>>add 01500 pass gre from any to any keep-state
>>># For ICMP
>>>add 01600 pass icmp from any to any via ${oip} keep-state
>>>
>>>Do you think these are causing the problem?
>>
>>Aren't udp and icmp state-less protocols?
>>In that case, keep-state would not make much sense.
>>
>>I use 'keep-state' only for tcp rules.
>>
>>I may be wrong, moreover, I haven't followed the full thread :).
>
>
> You'll generally need to keep state on UDP when you play online games.
>
> If you're smart, you don't allow arbitrary UDP packets from the outside
> world into your network, but if you're playing Unreal or something, then
> all communication is via UDP, and you won't be able to play.
>
> The best solution is to allow all UDP traffic to _leave_, while keeping
> state. the keep-state remembers the ip/port information on the outgoing
> packets, and thus allows return packets to get back in (by matching the
> ip/port pair).
>
> Now, when you know the port, it doesn't really make sense to use
> keep-state, and all you're really doing is spamming your state tables.
>
> If you look in the /etc/rc.firewall that ships with FreeBSD, you'll see
> these rules (designed to handle running a DNS server):
> # Allow access to our DNS
> ${fwcmd} add pass tcp from any to ${oip} 53 setup
> ${fwcmd} add pass udp from any to ${oip} 53
> ${fwcmd} add pass udp from ${oip} 53 to any
>
> Granted, it's three rules instead of 1, but it does not use your state
> tables unnecessarily (sp?)
>
> HTH.
>
I'm not sure why, but using the above rules from the supplied
rc.firewall causes nslookup to fail on all my machines inside the
firewall. I am sure it must have something to do with the order.
Also, I am not running a DNS, so I really only need the outbound
rule (I think).
I changed my rule to
add 01300 pass udp from ${oip} to any 53
this seems to be working. So I also removed the keep state from
the ICMP and NTP rules. I had thought that you needed the keep-state
rule for ICMP if you wanted trace route to work correctly, but it
behaves the same regardless.
add 01400 pass udp from ${oip} to any 123
add 01600 pass icmp from any to any via ${oip}
I left the keep state on the gre rule, well, because, I am afraid it
may cause weirdness in the VPN connection.
Norm Vilmer
Norm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?414B17FF.9030107>