From owner-freebsd-ipfw@FreeBSD.ORG Tue Sep 4 10:51:42 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4D51F16A469 for ; Tue, 4 Sep 2007 10:51:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outO.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id 2E2C013C46E for ; Tue, 4 Sep 2007 10:51:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Tue, 04 Sep 2007 03:51:41 -0700 Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id BC524126261; Tue, 4 Sep 2007 03:51:40 -0700 (PDT) Message-ID: <46DD38BC.30605@elischer.org> Date: Tue, 04 Sep 2007 03:51:40 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Vadim Goncharov References: <46D66176.9020300@auckland.ac.nz> <46D70145.3030708@auckland.ac.nz> In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org, Russell Fulton Subject: Re: getting state to work properly X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Sep 2007 10:51:42 -0000 Vadim Goncharov wrote: > 31.08.07 @ 00:41 Russell Fulton wrote: > >> Rule set appended -- anonymizing the rule set while keeping the sense >> would be a lot of work and I don't want to trim it down for fear of >> dropping something vital. As this network is not exposed to the >> internet and the firewall's primary purpose is traffic shaping not >> security I'll post it. >> >> Attached. > > Some summary points: also bear in mind the way that state is done.. it's not documented anywhere but when you do a 'keep-state', the rule that does the keep-state is stored away, and when a "check state" is run, it effectively JUMPS TO the rule that did the keep-state. If the rule contains some action that is not terminal, then EXECUTION CONTINUES at that point!!! for example check-state [...] "some rules" [...] skipto xxx [packet definition] keep state xxx: more rules the first packet will execute all of "some rules" but subsequent packets from thise sessions will skip straight to the skipto. All packets will do the test in the skipto rule, and subsequent rules. > > 1) localhost traffic should be unconditionally allowed at the start of > firewall, state here is useless. > 2) antispoofing can be more clearly done with antispoof and verrevpath > keywords. Like: > > ipfw add 100 pass all from any to any via lo0 > ipfw add 110 deny all from any to any in recv $extiface not verrevpath > ipfw add 111 deny log all from any to any in recv $intiface not antispoof > ipfw add 112 check-state > > 3) Using "setup" option while protocol is "all" is unclear - it will > match only tcp, while you possibly ment to keep-state on every protocol, > not just tcp. > 4) Consider using sysctl net.inet.ip.fw.one_pass - it controls whether > traffic after getting out from pipe will continue go through ipfw ruleset. > 5) Don't forget that ipfw has two passes, input and output, so if you > are sending traffic from A to B into pipe without "in" or "out" options, > speed will be half of that specified in a pipe. >