ipfw query

[Richard Smith]

On Tue, Jun 19, 2001 at 07:52:21AM +0100, Matthew Seaman wrote:
> On Mon, Jun 18, 2001 at 10:40:14PM +0100, Richard Smith wrote:
> > 
> > I notice that only dynamic rules are being banded about in this thread,
> > yet the default rc.firewall (with 4.3-R) uses it for one UDP rule only.
> 
> Two rules in the current /etc/rc.firewall as far as I can see --- I
> have $FreeBSD: src/etc/rc.firewall,v 1.30.2.12 2001/03/06 01:58:02
> obrien Exp $

Oh Yes :-)

> > Is there an advantage to using the keep-state/check-state dynamic style
> > over the setup/etablished static style of writing ipfw rules?
> 
> Absolutely yes. First of all, you can't use setup/established for
> anything other than tcp.

Yes, I accept that. I already use dynamic rules for UDP, I am more
concerned with whether to rewrite my TCP rules...

[snip]

> Secondly, allowing incoming packets (whether udp or tcp without the
> setup flag) exposes you to SYN-flood DOS attacks.  It's not a perfect
> defense, as a lot of bandwidth would still be sucked up by the
> flooding packets, but it will stop your machine wasting too many
> cycles dealing with them.

Would not bogus established TCP packets pass through the firewall and
require to be fendered off by the protected servers?  Whereas of course, 
the dynamic approach would halt them at the firewall. ('course I may
be reading this entirely wrong).

> The advantages are all in improved security.  Disadvantages are that
> it adds complexity and uses up more system resources to achieve it's
> end.  On a busy gateway machine you'll have to tune the
> net.inet.ip.fw.dyn_buckets sysctl and so forth or you could run out of
> space for dynamic rules.

I use kick ass firewalls so grunt is not an issue for me :-)

Thanks for the info,
Rich.