From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 3 18:19:46 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 31B6F16A417 for ; Mon, 3 Sep 2007 18:19:46 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id CC8B813C45A for ; Mon, 3 Sep 2007 18:19:45 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id C203F1051AA; Tue, 4 Sep 2007 01:19:44 +0700 (NOVST) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t62lgrBekQTs; Tue, 4 Sep 2007 01:19:43 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 79EA110527E; Tue, 4 Sep 2007 01:19:43 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Sep 2007 01:19:43 +0700 Received: from nuclight.avtf.net ([83.172.2.158]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Tue, 4 Sep 2007 01:19:43 +0700 Date: Tue, 04 Sep 2007 01:19:41 +0700 To: "Russell Fulton" References: <46D66176.9020300@auckland.ac.nz> <46D70145.3030708@auckland.ac.nz> From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <46D70145.3030708@auckland.ac.nz> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 03 Sep 2007 18:19:43.0227 (UTC) FILETIME=[FFF62CB0:01C7EE56] Cc: freebsd-ipfw@freebsd.org Subject: Re: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 03 Sep 2007 18:19:46 -0000 31.08.07 @ 00:41 Russell Fulton wrote: > Rule set appended -- anonymizing the rule set while keeping the sense > would be a lot of work and I don't want to trim it down for fear of > dropping something vital. As this network is not exposed to the > internet and the firewall's primary purpose is traffic shaping not > security I'll post it. > > Attached. Some summary points: 1) localhost traffic should be unconditionally allowed at the start of firewall, state here is useless. 2) antispoofing can be more clearly done with antispoof and verrevpath keywords. Like: ipfw add 100 pass all from any to any via lo0 ipfw add 110 deny all from any to any in recv $extiface not verrevpath ipfw add 111 deny log all from any to any in recv $intiface not antispoof ipfw add 112 check-state 3) Using "setup" option while protocol is "all" is unclear - it will match only tcp, while you possibly ment to keep-state on every protocol, not just tcp. 4) Consider using sysctl net.inet.ip.fw.one_pass - it controls whether traffic after getting out from pipe will continue go through ipfw ruleset. 5) Don't forget that ipfw has two passes, input and output, so if you are sending traffic from A to B into pipe without "in" or "out" options, speed will be half of that specified in a pipe. -- WBR, Vadim Goncharov