ipfw query

Richard Smith rdls at rdls.net
Mon Jun 18 22:40:14 BST 2001


On Sun, Jun 17, 2001 at 11:17:30PM +0100, Matthew Seaman wrote:
[snip]
> add deny log all from any to any ipoptions rr
> add check-state
> add deny log tcp from any to any established
> add allow tcp from me to any out via tun0 keep-state
> add allow tcp from 194.217.242.0/24 to me 25 in via tun0 keep-state
> add allow udp from me to any 53 out via tun0 keep-state
> add allow udp from me 123 to any 123 keep-state
> add allow icmp from me to any out
> add allow icmp from any to me in icmptype 0,3,4,8,11,12
> add unreach filter-prohib log icmp from any to any
> add 65534 deny log ip from any to any
[snip]
> You seem to have the basic idea: the static rules default to denying
> pretty much everything, except certain packets that can establish
> particular connections.  Any new connection is recorded, and a time
> limited dynamic rule is generated allowing tcp or udp or whatever
> packets in either direction between a specific local ip+port and
> remote ip+port.

I notice that only dynamic rules are being banded about in this thread,
yet the default rc.firewall (with 4.3-R) uses it for one UDP rule only.

Is there an advantage to using the keep-state/check-state dynamic style
over the setup/etablished static style of writing ipfw rules?

Particularly from a security standpoint?

Thanks,
-- 
Richard Smith
Network Systems Director
Satamatics Ltd
Green Lane, Tewkesbury, GL20 8HD, United Kingdom
Tel: +44 1684 278610
Fax: +44 1684 278611




More information about the Ukfreebsd mailing list