From owner-freebsd-questions  Thu Oct 25 17:22:33 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id 243B537B403
	for <questions@freebsd.org>; Thu, 25 Oct 2001 17:22:31 -0700 (PDT)
Received: (qmail 37106 invoked by uid 100); 26 Oct 2001 00:22:30 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15320.44230.677241.804365@guru.mired.org>
Date: Thu, 25 Oct 2001 19:22:30 -0500
To: Rogier Steehouder <r.j.s@gmx.net>
Cc: questions@freebsd.org
Subject: Re: can't get stateful ipfw working...
In-Reply-To: <4998109@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Rogier Steehouder <r.j.s@gmx.net> types:
> On 22-10-2001 21:43 (-0400), David Hill wrote:

Arrgh. The digester ate David's address. Rogier, if you still have it,
could you forward it to him?

> > Hello -
> > Implementing the following ipfw ruleset allows nothing to work.
> > The nat'd machines can't access the gateway, nor the internet
> > 
> > What am I doing wrong?
> 
> > $fwcmd add 500 check-state
> > $fwcmd add 510 deny tcp from any to any in established
> > $fwcmd add 520 allow tcp from any to any keep-state setup
> 
> I don't know for sure, but maybe the stateful rule includes the setup
> option and refuses anything but setup packets. Try removing that since
> it's quite useless here anyway.

His rules look almost exactly like what the man page suggests for
dealing with flood attacks. There are two difference:

1) Rule 510 only denies incoming fake packets. Probably immaterial.

2) Rule 520 uses "keep-state setup" instead of "setup
keep-state". Since keep-state takes an optional method, that may be
confusing the parser, and hence the rule actually implemented. I'd try
swapping that.

	<mike

--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message