Date: Fri, 21 Mar 2003 02:29:40 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: james_mapson@museum.rain.com Cc: Drew Tomlinson <drew@mykitchentable.net>, freebsd-questions@FreeBSD.ORG Subject: Re: IPFW - "keep-state/check-state" And "setup/established" Confusion Message-ID: <20030321002940.GF1538@gothmog.gr> In-Reply-To: <20030320115636.A37330@ns.museum.rain.com> References: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> <20030320165232.GB6347@gothmog.gr> <20030320115636.A37330@ns.museum.rain.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-03-20 11:56, James Long <list@museum.rain.com> wrote: > On Thu, Mar 20, 2003 at 06:52:32PM +0200, Giorgos Keramidas wrote: > > > use "keep-state/check-state" for everything by adding my check-state > > > rule near the top and then adding the following rule for incoming > > > services: > > > > > > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > > > > As a matter of fact, you should. The 'established' keyword is not as > > nice as a real, stateful firewall (which {keep,check}-state gives you). > > A learning question: First, I am working from the understanding that > the keep-state flag results in _one_ rule from any to $inwr, but creates > the complementary "$inwr to any" rules for the return traffic on an dynam- > ic basis, and that there is one dynamic rule for each connection that is > active at the time. I welcome enlightenment if I am mistaken in this. > > Given that one wants to run those four ports wide open to the world, won't > "keep-state" result in the firewall creating N dynamic rules for the return > traffic, where N is the number of connections open to those four ports? > When N is large (i.e., when there are many connections to those ports), > would it not result in fewer firewall rule comparisons to just run them > wide open and be done with it? > > If one accepts traffic from anyone coming in to those ports, what is to > be gained by restricting the IPs to which our server can send return > traffic from those ports? > > ipfw add allow ip from any to $inwr 21,22,25,80 > ipfw add allow ip from $inwr 21,22,25,80 to any > > Wouldn't this result in a maximum of two rules, instead of N + 1? True. This is probably a good way of avoiding the overhead associated with dynamic rules. I was only comparing 'established' to '*-state' ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030321002940.GF1538>