Date: 24 Oct 2000 19:54:58 -0500 From: Kirk Strauser <kirk@strauser.com> To: freebsd-ipfw@freebsd.org Subject: Stateful? Non-stateful? I'm lost. Message-ID: <87u2a1zqn1.fsf@pooh.honeypot>
next in thread | raw e-mail | index | archive | help
I am using ipfw on a FreeBSD 4.1.1-STABLE box. I have written my firewall config in m4, since there are quite a few rules, and since I wanted to minimize the risk of typos. I initially configured my firewall based on the instructions in the handbook. I have m4 macros in the form: define(`tcp_outgoing', `add $1 allow tcp from $2 to $3 $4 out xmit $5 add $1 allow tcp from $3 $4 to $2 in recv $5 established') define(`tcp_incoming', `add $1 allow tcp from $3 to $2 $4 in recv $5 add $1 allow tcp from $2 $4 to $3 out xmit $5 established') define(`udp_outgoing', `add $1 allow udp from $2 to $3 $4 out xmit $5 add $1 allow udp from $3 $4 to $2 in recv $5') define(`udp_incoming', `add $1 allow udp from $3 to $2 $4 in recv $5 add $1 allow udp from $2 $4 to $3 out xmit $5') so that later entries in the form: tcp_outgoing(30400, MAIN_LAN, any, ssh, WAN) tcp_incoming(40200, PROXY, any, smtp, WAN) become 30400 allow tcp from 10.0.1.0/24 to any 22 out xmit ed0 30400 allow tcp from any 22 to 10.0.1.0/24 in recv ed0 established 40200 allow tcp from any to 10.0.0.2 25 in recv ed0 40200 allow tcp from 10.0.0.2 25 to any out xmit ed0 established This has worked perfectly for roughly the last year, and continues to keep me safe from script kiddies. Recently I noticed the keep-state and check-state options to ipfw. I've asked around, and made an honest effort to RTFM (which would first require *finding* TFM!), but I just can't figure out exactly what they're supposed to do. My questions are: 1. What do they do? 2. How could I use them to improve my ruleset? 3. Are there any caveats / efficiency tradeoffs from using them? 4. Would they increase security over what I'm already doing? I'm not a newbie, but I just haven't been able to find the information I need. My only other request is that if you feel that you must answer with "RTFM, darnit!", then please at least tell me where to look for it. I've scoured freebsd.org to the limits of my searching ability and can't find any answers. Thanks, -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87u2a1zqn1.fsf>