Date: Sun, 10 Dec 2000 20:02:04 -0600 From: Bill Fumerola <billf@mu.org> To: =?iso-8859-1?Q?R=E9mi_Guyomarch?= <rguyom@pobox.com> Cc: freebsd-stable@freebsd.org Subject: Re: IPFIREWALL or IPFILTER? Message-ID: <20001210200204.I86825@elvis.mu.org> In-Reply-To: <20001210202817.C22773@diabolic-cow.chatgris.net>; from rguyom@pobox.com on Sun, Dec 10, 2000 at 08:28:17PM %2B0100 References: <Pine.BSF.4.21.0012031955270.59659-100000@ipamzlx.physik.uni-mainz.de> <00dd01c05e2e$e42a0700$0b6cffc8@infolink.com.br> <20001209112247.A22773@diabolic-cow.chatgris.net> <002301c062bd$2aeb0440$0b6cffc8@infolink.com.br> <20001210202817.C22773@diabolic-cow.chatgris.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Dec 10, 2000 at 08:28:17PM +0100, Rémi Guyomarch wrote:
> Can you do statefull filtering of TCP, UDP and ICMP streams with ipfw
> ? (this includes icmp errors and fragmented packets [ADSL anyone ? ...]).
I'm not sure about the ICMP part, but the tcp and udp work.
> Does the TCP state filtering engine in ipfw actually checks sequence
> numbers and window sizes ?
No, but that would be trivial to implement(at least window sizes).
> Is there something like "block return-icmp-as-dest (port-unr) ..." in
> ipfw ?
man ipfw
> Is there a concept similiar to the head/group thing in ipfw ?
After some research in ipf(5) as to what "the head/group thing" was,
it seems you could produce the same type of functionality with:
(rules are intentionally stupid and shouldn't be used)
300 skipto 1000 tcp from any to any
400 skipto 2000 udp from any to any
500 skipto 3000 icmp from any to any
[...]
1000 deny tcp from badguy to goodguy
1010 deny tcp from any to any tcpseq 0 tcpoptions !mss
1999 allow ip from any to any
2001 pass udp from nameserver to me
2500 deny udp from badmrudpflooder to me
2999 allow ip from any to any
3000 allow icmp from me to any
3050 deny icmp from any to any
3999 allow ip from any to any #not needed
[...]
65535 allow ip from any to any
The only thing different from ipf/ipfw is that ipf seems to use
its own namespace for such things, while ipfw abuses rule numbering.
> Can you save/restore to/from disk filter and NAT state entries ?
for filters:
man vi
for state entries:
no
> Can you redirect traffic to many internal boxes with a round-robin
> mechanism ?
man natd
--
Bill Fumerola - security yahoo / Yahoo! inc.
- fumerola@yahoo-inc.com / billf@FreeBSD.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001210200204.I86825>