Date: Fri, 17 Sep 2004 12:39:50 -0500 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: "Norm Vilmer" <norm@etherealconsulting.com> Cc: freebsd-questions@freebsd.org Subject: Re: Too many dynamic rules, sorry Message-ID: <07af01c49cdd$e9910f80$4df24243@tsgincorporated.com> References: <414A6E9C.4060708@etherealconsulting.com><020b01c49c76$e3d1ada0$0201a8c0@dredster> <414AF79C.4030809@etherealconsulting.com> <06af01c49cc5$b0b615b0$4df24243@tsgincorporated.com> <414B02FD.6020703@etherealconsulting.com> <06fd01c49ccd$36e91450$4df24243@tsgincorporated.com> <414B150C.6090608@etherealconsulting.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message -----
From: "Norm Vilmer" <norm@etherealconsulting.com>
To: "Micheal Patterson" <micheal@tsgincorporated.com>
Cc: <freebsd-questions@freebsd.org>
Sent: Friday, September 17, 2004 11:47 AM
Subject: Re: Too many dynamic rules, sorry
> Micheal Patterson wrote:
> >
> > ----- Original Message -----
> > From: "Norm Vilmer" <norm@etherealconsulting.com>
> > To: "Micheal Patterson" <micheal@tsgincorporated.com>
> > Cc: <freebsd-questions@freebsd.org>
> > Sent: Friday, September 17, 2004 10:30 AM
> > Subject: Re: Too many dynamic rules, sorry
> >
> >
> > <snip>
> >
> >>I do have a check-state rule
> >>
> >>add 00200 check-state
> >>
> >>Norm Vilmer
> >
> >
> > Ok. Then right above the check-state entry, place an
> >
> > allow ip from 123.123.123/24 to 123.123.123./24
> >
> > Replace the ip's with the appropriate network/metric for your lan and
that
> > will allow lan traffic to go to itself unhindered by any stateful
checks.
> >
> > --
> >
> > Micheal Patterson
> > TSG Network Administration
> > 405-917-0600
> >
> >
> >
> would this be the same?
>
> add 00200 allow all from any to any via ${iif} keep-state
> add 00210 check-state
>
>
The goal is to not use dynamic rules for your local lan, only the traffic
from the lan to the net. Otherwise, you're wasting dynamic state table space
for rules that aren't necessary.
A very basic stateful ruleset:
ipfw add 100 allow ip from 1.1.1.0/24 to 1.1.1.0/24
ipfw add 500 check-state
ipfw add 600 allow ip from 1.1.1.0/24 to any keep-state
ipfw add 65000 deny log ip from any to any
That type of ruleset, will allow local traffic without using state table,
and the entry at 1000 will catch everything else outbound and use state
tables for it. If it's not originating from your network, and there's no
state entry, it's blocked by 65000.
--
Micheal Patterson
TSG Network Administration
405-917-0600
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?07af01c49cdd$e9910f80$4df24243>