ipfw query

Richard Smith rdls at rdls.net
Tue Jun 19 21:26:08 BST 2001


On Tue, Jun 19, 2001 at 02:04:56PM +0100, Paul Civati wrote:
> Richard Smith <rdls at rdls.net> wrote:
> 
> > Is there an advantage to using the keep-state/check-state dynamic style
> > over the setup/etablished static style of writing ipfw rules?
> > Particularly from a security standpoint?
> 
> Yes.
> 
> 'setup/etablished' style filtering usually only looks at the flags
> set on TCP connections, so is somewhat limited.
> 
> 'keep-state/check-state' style filtering maintains a state table
> of data 'flows' (for want of a better word), and tracks (based
> on src/dst/port, sequence numbers, etc) streams of packets (both
> UDP and TCP) and only allows packets back in that are part of a
> flow established from (say within) your network to external hosts.
> 
> This is sometimes called stateful inspection and more usually
> found on a commercial firewall products, eg. Checkpoint Firewall-1.

Thanks Paul,

I can see myself removing all my setup/established rules. Rules for
incomming TCP connections may as well ignore flags, e.g.

    allow tcp from any to myserver http

[assuming that the firewall can handle the extra work load from not having
an early `established' rule]

Another question, concerning the following rule that appears in the
standard /etc/rc.firewall...

    # Allow IP fragments to pass through
    ${fwcmd} add pass all from any to any frag

What are the pros and cons of the absence/presence of this rule? I was
going to say the "I have never seen a non-zero count for this rule"
but I just checked one of my firewalls and it has recorded 1 packet,
208 bytes, in 105 days of uptime.

Rich.




More information about the Ukfreebsd mailing list