Bill Moran wrote:
Rob <[EMAIL PROTECTED]> wrote:
Norm Vilmer wrote:
Here are the rules that I have that keep-state on the outside interface:
#For DNS add 01300 pass udp from ${oip} to any 53 keep-state # For NTP add 01400 pass udp from ${oip} to any 123 keep-state # For VPN add 01500 pass gre from any to any keep-state # For ICMP add 01600 pass icmp from any to any via ${oip} keep-state
Do you think these are causing the problem?
Aren't udp and icmp state-less protocols? In that case, keep-state would not make much sense.
I use 'keep-state' only for tcp rules.
I may be wrong, moreover, I haven't followed the full thread :).
You'll generally need to keep state on UDP when you play online games.
If you're smart, you don't allow arbitrary UDP packets from the outside world into your network, but if you're playing Unreal or something, then all communication is via UDP, and you won't be able to play.
The best solution is to allow all UDP traffic to _leave_, while keeping state. the keep-state remembers the ip/port information on the outgoing packets, and thus allows return packets to get back in (by matching the ip/port pair).
Now, when you know the port, it doesn't really make sense to use keep-state, and all you're really doing is spamming your state tables.
If you look in the /etc/rc.firewall that ships with FreeBSD, you'll see these rules (designed to handle running a DNS server): # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any
Granted, it's three rules instead of 1, but it does not use your state tables unnecessarily (sp?)
HTH.
I'm not sure why, but using the above rules from the supplied rc.firewall causes nslookup to fail on all my machines inside the firewall. I am sure it must have something to do with the order. Also, I am not running a DNS, so I really only need the outbound rule (I think).
I changed my rule to
add 01300 pass udp from ${oip} to any 53this seems to be working. So I also removed the keep state from the ICMP and NTP rules. I had thought that you needed the keep-state rule for ICMP if you wanted trace route to work correctly, but it behaves the same regardless.
add 01400 pass udp from ${oip} to any 123
add 01600 pass icmp from any to any via ${oip}I left the keep state on the gre rule, well, because, I am afraid it may cause weirdness in the VPN connection.
Norm Vilmer
Norm
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
