On 24-May-05, at 2:12 PM, Charles Swiger wrote:
On May 24, 2005, at 2:25 PM, Stephane Raimbault wrote:
I hate to ask something silly, but you do have a check-state rule
somewhere, right?
it's not silly..., what's silly is now I'm asking how would I
check :) or what would the rule look like.
You've have an "ipfw add check-state" rule somewhere.
The rules you've added permit traffic in both directions, which
shouldn't be needed unless the stateful matching wasn't working
right. Anyway, you don't need to use stateful rules if you
permit traffic in both ways, but the possible tradeoff is making
the systems more accessible to scanning and some DoS attacks
using forged traffic.
Not using keep-state with UDP is quite reasonable, but you might
consider adding a "keep-state" with your TCP rules for port 53.
You should also be aware that your nameservers will want to make
outbound connections using TCP themselves sometimes....
you've actually kinda answered the other question I neglected to
ask... which is, would I really need the keep-state, since it
seemed to work without it being there when I did my testing
earlier today. Regarding adding keep-state to my tcp rule...
would this not do the same thing... ? am I confused... or is it
just insecure of doing it this way:
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
Stateful matching of connections can be more secure than passing
any traffic which is established, but that depends on the other
rules which are being used. However, the IPFW manpage has a good
description of this:
The typical use of dynamic rules is to keep a closed firewall
configura-
tion, but let the first TCP SYN packet from the inside network
install a
dynamic rule for the flow so that packets belonging to that
session will
be allowed through the firewall:
ipfw add check-state
ipfw add allow tcp from my-subnet to any setup keep-state
ipfw add deny tcp from any to any
That's very interesting and makes sense. I do not have the check-
state in there, and just specify each port that is open, I'm guessing
I did not run into this problem with anything else, as dns is a very
stateful type of protocol? Would this be hand with an FTP server,
right now I just tell the ftp server to use specific passive ports,
and open up the firewall to allow connections on there. Would I be
able to elmininate that with simply setting up check-state and also
having keep-state at the end of the tcp allow rules ?
Thanks,
Stephane.
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-
[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
