From owner-freebsd-questions@FreeBSD.ORG Fri Sep 17 20:38:26 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 416DF16A4CE for ; Fri, 17 Sep 2004 20:38:26 +0000 (GMT) Received: from web41408.mail.yahoo.com (web41408.mail.yahoo.com [66.218.93.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 1612943D39 for ; Fri, 17 Sep 2004 20:38:26 +0000 (GMT) (envelope-from davemac11@yahoo.com) Message-ID: <20040917203825.45384.qmail@web41408.mail.yahoo.com> Received: from [168.91.4.66] by web41408.mail.yahoo.com via HTTP; Fri, 17 Sep 2004 13:38:25 PDT Date: Fri, 17 Sep 2004 13:38:25 -0700 (PDT) From: Dave McCammon To: Norm Vilmer In-Reply-To: <414B1CC9.7040600@etherealconsulting.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: questions@freebsd.org Subject: Re: Too many dynamic rules, sorry X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Sep 2004 20:38:26 -0000 --- Norm Vilmer wrote: > Dave McCammon wrote: > > > --- Bill Moran wrote: > > > > > >>Rob wrote: > >> > >> > >>>Norm Vilmer wrote: > >>> > >>>>Here are the rules that I have that keep-state > >> > >>on the outside interface: > >> > >>>>#For DNS > >>>>add 01300 pass udp from ${oip} to any 53 > >> > >>keep-state > >> > >>>># For NTP > >>>>add 01400 pass udp from ${oip} to any 123 > >> > >>keep-state > >> > >>>># For VPN > >>>>add 01500 pass gre from any to any keep-state > >>>># For ICMP > >>>>add 01600 pass icmp from any to any via ${oip} > >> > >>keep-state > >> > >>>>Do you think these are causing the problem? > >>> > >>>Aren't udp and icmp state-less protocols? > >>>In that case, keep-state would not make much > >> > >>sense. > >> > >>>I use 'keep-state' only for tcp rules. > >>> > >>>I may be wrong, moreover, I haven't followed the > >> > >>full thread :). > >> > >>You'll generally need to keep state on UDP when > you > >>play online games. > >> > >>If you're smart, you don't allow arbitrary UDP > >>packets from the outside > >>world into your network, but if you're playing > >>Unreal or something, then > >>all communication is via UDP, and you won't be > able > >>to play. > >> > >>The best solution is to allow all UDP traffic to > >>_leave_, while keeping > >>state. the keep-state remembers the ip/port > >>information on the outgoing > >>packets, and thus allows return packets to get > back > >>in (by matching the > >>ip/port pair). > >> > >>Now, when you know the port, it doesn't really > make > >>sense to use > >>keep-state, and all you're really doing is > spamming > >>your state tables. > >> > >>If you look in the /etc/rc.firewall that ships > with > >>FreeBSD, you'll see > >>these rules (designed to handle running a DNS > >>server): > >> # Allow access to our DNS > >> ${fwcmd} add pass tcp from any to ${oip} > 53 > >>setup > >> ${fwcmd} add pass udp from any to ${oip} > 53 > >> ${fwcmd} add pass udp from ${oip} 53 to > any > >> > >>Granted, it's three rules instead of 1, but it > does > >>not use your state > >>tables unnecessarily (sp?) > >> > >>HTH. > >> > >> > > > > > > Sorry, wasn't done with last message. > > > > Look at your dynamic table, if you are getting > DoS'd, > > try using the "limit" option instead of keep-state > or > > tweak the net.inet.ip.fw.dyn_(*)_lifetime to a > level > > that suits your needs. > > > > Or, rewrite your rules removing the keep-state > options. > > > > > > > > _______________________________ > > Do you Yahoo!? > > Declare Yourself - Register online to vote today! > > http://vote.yahoo.com > > _______________________________________________ > > freebsd-questions@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org" > > > I think I follow you. I am going to have to play > around with the > DNS rules supplied with rc.firewall to see if I can > get them to > work. Just putting them in as given, my machines > inside the firewall > can not do nslookup's. > > I am a little afraid to play with the > net.inet.ip.fw.dyn_(*)_lifetime > level, I have seen a number of posting where people > increase the value, > mine is set to 300 (default). I did remove > keep-state from all my rules > excpet the gre rule. I also set the > net.inet.ip.fw.dyn_max to 8192 which > helps. > > Maybe I need a good book on the subject. Any > suggestions? > > Norm Vilmer What you may you may want to do is lower the net.inet.ip.fw.dyn_ack_lifetime. This will help the dynamic rules to be cleared faster on connections that don't get completed with the FIN or RST. Besides, I believe the UDP dynamic rules are controlled by net.inet.ip.fw.dyn_udp_lifetime. On my bridging-firewall, it is set to 10 but in the man page for ipfw it shows default as 5 (unless the 5 is just an example not the default). Here is some links that I have bookmarked http://www.kgb.ro/Ipfw-HOWTO http://freebsd.amazingdev.com/blog/archives/000112.html http://www.toad-one.org/howto/FreeBSD/Ipfw-Advanced-Supplement-HOWTO.txt _______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com