Dave McCammon wrote:
--- Bill Moran <[EMAIL PROTECTED]> wrote:
Rob <[EMAIL PROTECTED]> wrote:
Norm Vilmer wrote:
Here are the rules that I have that keep-state
on the outside interface:
#For DNS add 01300 pass udp from ${oip} to any 53
keep-state
# For NTP add 01400 pass udp from ${oip} to any 123
keep-state
# For VPN add 01500 pass gre from any to any keep-state # For ICMP add 01600 pass icmp from any to any via ${oip}
keep-state
Do you think these are causing the problem?
Aren't udp and icmp state-less protocols? In that case, keep-state would not make much
sense.
I use 'keep-state' only for tcp rules.
I may be wrong, moreover, I haven't followed the
full thread :).
You'll generally need to keep state on UDP when you play online games.
If you're smart, you don't allow arbitrary UDP packets from the outside world into your network, but if you're playing Unreal or something, then all communication is via UDP, and you won't be able to play.
The best solution is to allow all UDP traffic to _leave_, while keeping state. the keep-state remembers the ip/port information on the outgoing packets, and thus allows return packets to get back in (by matching the ip/port pair).
Now, when you know the port, it doesn't really make sense to use keep-state, and all you're really doing is spamming your state tables.
If you look in the /etc/rc.firewall that ships with FreeBSD, you'll see these rules (designed to handle running a DNS server): # Allow access to our DNS ${fwcmd} add pass tcp from any to ${oip} 53 setup ${fwcmd} add pass udp from any to ${oip} 53 ${fwcmd} add pass udp from ${oip} 53 to any
Granted, it's three rules instead of 1, but it does not use your state tables unnecessarily (sp?)
HTH.
Sorry, wasn't done with last message.
Look at your dynamic table, if you are getting DoS'd, try using the "limit" option instead of keep-state or tweak the net.inet.ip.fw.dyn_(*)_lifetime to a level that suits your needs.
Or, rewrite your rules removing the keep-state options.
_______________________________ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
I think I follow you. I am going to have to play around with the DNS rules supplied with rc.firewall to see if I can get them to work. Just putting them in as given, my machines inside the firewall can not do nslookup's.
I am a little afraid to play with the net.inet.ip.fw.dyn_(*)_lifetime level, I have seen a number of posting where people increase the value, mine is set to 300 (default). I did remove keep-state from all my rules excpet the gre rule. I also set the net.inet.ip.fw.dyn_max to 8192 which helps.
Maybe I need a good book on the subject. Any suggestions?
Norm Vilmer
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
