Date: 08 Feb 2001 10:45:48 -0500 From: Lowell Gilbert <lowell@world.std.com> To: freebsd-questions@freebsd.org Subject: Re: ipfw check-state Message-ID: <4466il89g3.fsf@lowellg.ne.mediaone.net> In-Reply-To: ppandoson@eCoNeed.com's message of "5 Feb 2001 10:01:33 %2B0100" References: <3A7E6BCE.E93BDB1C@eCoNeed.com>
next in thread | previous in thread | raw e-mail | index | archive | help
ppandoson@eCoNeed.com (Pater Pandoson) writes: > I have been reading the man page but I am still > unsure how to use the dynamic firewall rules. > Is there a good tutorial somewhere? The "good tutorial" question is tricky, because it really depends on where you start from: specifically, your knowledge of how IP (and especially, but not exclusively, TCP) works. There are a couple of good books on the theory. Addison-Wesley and O'Reilly each publish a good one, although those books come after it a little differently (i.e., one might well want both). I understand IP pretty well, and I found everything I needed to know from the man page itself. I don't, however, make particularly heavy use of stateful rules (because in several cases they don't play well with NAT or other forms of packet rewriting). The basic idea behind stateful rules is pretty simple: you let detection of one packet cause the opening of a narrowly defined hole specifically designed to let a response come back. There are several reasons you might want to do this; none of them are useful to every firewall. One reason is efficiency. A check against a list of dynamic rules is generally faster than a sequential check against a list of static rules. Due to differences in storage techniques (data structures), this is often true even when the number of dynamic rules is much larger than the number of static ones. However, this only makes a noticeable impact on the performance of the system when both the number of packets being checked *and* the number of rules are quite large. The other reason is to be sure that a packet coming in is a response to a packet that you had sent out previously. For pure datagram protocols, there's no other way to guarantee this; for example, with static rules, you have to let in DNS queries as well as responses. For TCP, the headers themselves let you know whether a packet is the first in a connection, and even if a packet "lies" about that, that packet won't be accepted by an IP stack -- however, people often prefer to not let such packets by their firewalls at all. Does this information help? I'm considering submitting some of it as an expansion on the handbook descriptions... Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4466il89g3.fsf>