ipfw query

Matthew Seaman m.seaman at plasm.demon.co.uk
Sun Jun 17 23:17:30 BST 2001

On Sun, Jun 17, 2001 at 05:05:58PM +0100, Jose Marques wrote:

> I am setting up a little firewall for my dial-up connection.  The basic
> idea is to allow me to connect out but to limit incoming traffic not
> initiated by myself to a few ports.  Using various sources I found on the
> net I've come up with the following rule set:
> -8<- cut here ----

Yup.  That's pretty much what I have.  I don't run HTTP/HTTPS servers
or allow incoming SSH, and I'm happy enough to let inetd handle ident
requests.  As I'm using demon, I limit incoming SMTP connections to
the address range of the demon mail servers
(http://www.demon.net/helpdesk/faq/server_address.shtml).  One thing I
do which I picked up from the net a while back --- can't remember
exactly where now --- is absolutely forbid any packets with the rr
"record route" option set:

add deny log all from any to any ipoptions rr
add check-state
add deny log tcp from any to any established
add allow tcp from me to any out via tun0 keep-state
add allow tcp from to me 25 in via tun0 keep-state
add allow udp from me to any 53 out via tun0 keep-state
add allow udp from me 123 to any 123 keep-state
add allow icmp from me to any out
add allow icmp from any to me in icmptype 0,3,4,8,11,12
add unreach filter-prohib log icmp from any to any
add 65534 deny log ip from any to any

> I would really appreciate comments from any ipfw experts out there on
> whether or not the rules do what I think they do.  In particular I'm not
> at all sure that I understand keep-state properly.

You seem to have the basic idea: the static rules default to denying
pretty much everything, except certain packets that can establish
particular connections.  Any new connection is recorded, and a time
limited dynamic rule is generated allowing tcp or udp or whatever
packets in either direction between a specific local ip+port and
remote ip+port.

> One further query, when I do "ipfw show" I see a lot of dynamic rules
> listed that don't go away.  The "T" value in the listing seems to count
> down to 0.  When it reaches 0 does it mean the rule has expired?

Yes.  Once T has counted down to zero the dynamic rule has expired, so
no more packets should be transmitted, but the rule will not be wiped
out until ipfw needs to reuse that slot in the dynamic rule table.

Dr Matthew J Seaman MA, D.Phil.                          26 The Paddocks
                                                         Savill Way
Tel: +44 1628 476614                                     Bucks., SL7 1TH UK

More information about the Ukfreebsd mailing list