From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 17 17:20:11 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5EAA16A4CE
	for <questions@freebsd.org>; Fri, 17 Sep 2004 17:20:11 +0000 (GMT)
Received: from advmail.lsn.net (advmail.lsn.net [66.90.138.148])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6577A43D2D
	for <questions@freebsd.org>; Fri, 17 Sep 2004 17:20:11 +0000 (GMT)
	(envelope-from norm@etherealconsulting.com)
Received: from etherealconsulting.com (24-155-40-125.ip.grandenetworks.net
	[24.155.40.125])
	by advmail.lsn.net (8.12.8/8.12.4) with ESMTP id i8HHKD0A016046;
	Fri, 17 Sep 2004 12:20:14 -0500
Message-ID: <414B1CC9.7040600@etherealconsulting.com>
Date: Fri, 17 Sep 2004 12:20:09 -0500
From: Norm Vilmer <norm@etherealconsulting.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.6) Gecko/20040113
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Dave McCammon <davemac11@yahoo.com>
References: <20040917162811.30280.qmail@web41406.mail.yahoo.com>
In-Reply-To: <20040917162811.30280.qmail@web41406.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiVirus: checked by Vexira Milter 1.0.6; VAE 6.27.0.10; VDF 6.27.0.66
cc: questions@freebsd.org
Subject: Re: Too many dynamic rules, sorry
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2004 17:20:11 -0000

Dave McCammon wrote:

> --- Bill Moran <wmoran@potentialtech.com> wrote:
> 
> 
>>Rob <spamrefuse@yahoo.com> wrote:
>>
>>
>>>Norm Vilmer wrote:
>>>
>>>>Here are the rules that I have that keep-state
>>
>>on the outside interface:
>>
>>>>#For DNS
>>>>add 01300 pass udp from ${oip} to any 53
>>
>>keep-state
>>
>>>># For NTP
>>>>add 01400 pass udp from ${oip} to any 123
>>
>>keep-state
>>
>>>># For VPN
>>>>add 01500 pass gre from any to any keep-state
>>>># For ICMP
>>>>add 01600 pass icmp from any to any via ${oip}
>>
>>keep-state
>>
>>>>Do you think these are causing the problem?
>>>
>>>Aren't udp and icmp state-less protocols?
>>>In that case, keep-state would not make much
>>
>>sense.
>>
>>>I use 'keep-state' only for tcp rules.
>>>
>>>I may be wrong, moreover, I haven't followed the
>>
>>full thread :).
>>
>>You'll generally need to keep state on UDP when you
>>play online games.
>>
>>If you're smart, you don't allow arbitrary UDP
>>packets from the outside
>>world into your network, but if you're playing
>>Unreal or something, then
>>all communication is via UDP, and you won't be able
>>to play.
>>
>>The best solution is to allow all UDP traffic to
>>_leave_, while keeping
>>state.  the keep-state remembers the ip/port
>>information on the outgoing
>>packets, and thus allows return packets to get back
>>in (by matching the
>>ip/port pair).
>>
>>Now, when you know the port, it doesn't really make
>>sense to use
>>keep-state, and all you're really doing is spamming
>>your state tables.
>>
>>If you look in the /etc/rc.firewall that ships with
>>FreeBSD, you'll see
>>these rules (designed to handle running a DNS
>>server):
>>        # Allow access to our DNS
>>        ${fwcmd} add pass tcp from any to ${oip} 53
>>setup
>>        ${fwcmd} add pass udp from any to ${oip} 53
>>        ${fwcmd} add pass udp from ${oip} 53 to any
>>
>>Granted, it's three rules instead of 1, but it does
>>not use your state
>>tables unnecessarily (sp?)
>>
>>HTH.
>>
>>
> 
> 
> Sorry, wasn't done with last message.
> 
> Look at your dynamic table, if you are getting DoS'd,
> try using the "limit" option instead of keep-state or
> tweak the net.inet.ip.fw.dyn_(*)_lifetime to a level
> that suits your needs.
> 
> Or, rewrite your rules removing the keep-state options.
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 
I think I follow you. I am going to have to play around with the
DNS rules supplied with rc.firewall to see if I can get them to
work. Just putting them in as given, my machines inside the firewall
can not do nslookup's.

I am a little afraid to play with the net.inet.ip.fw.dyn_(*)_lifetime
level, I have seen a number of posting where people increase the value,
mine is set to 300 (default). I did remove keep-state from all my rules
excpet the gre rule. I also set the net.inet.ip.fw.dyn_max to 8192 which
helps.

Maybe I need a good book on the subject. Any suggestions?

Norm Vilmer