Static rules (Stateless) verses Dynamic (Statefull) Rulesets in IPFW

[Matthew McGehrin]

It seems to be a recent trend in which Firewall Authors are using dynamic rulesets for their firewall code. It's been my experience, that dynamic rules work in low to medium load situations, (less than 1024 Active TCPIP connections), but anything beyond this limit, Static Rules are the way to go. 

For example, I run a irc shell company. I maintain multiple boxes that have 1500+ Active TCPIP connections. My upstream provides basic DoS filtering, but it's my responsibility to protect my machines. I use the following ruleset:

00001 allow ip from any to any via lo0
# pipes
00010 pipe 10 tcp from 1.2.3.0/24 6660-9999,4400 to any out
00012 pipe 10 tcp from 1.2.3.0/24 to any 6660-9999,4400 out
00014 pipe 10 tcp from 1.2.3.0/24 to any 53,80,113,1080 out
00020 pipe 10 ip from 1.2.3.3 to any out
00022 pipe 10 udp from 1.2.3.0/24 to any out
00024 pipe 10 icmp from 1.2.3.0/24 to any out
00050 pipe 50 ip from 1.2.3.0/24 to any out
ipfw pipe 10 config bw  115k queue 8k mask dst-ip 0xff000000
ipfw pipe 50 config bw  256k queue 8k mask dst-ip 0xff000000

# split protocol
00100 skipto 2000 tcp from any to any
00200 skipto 4000 udp from any to any
00300 skipto 6000 icmp from any to any
# tcp
02000 allow tcp from any to any established
02100 allow tcp from any to any 1024-65535,25,80,81,443 setup
02200 allow tcp from any to any 20-21,22,43,53,110,113 setup
02300 allow tcp from any to any 23,873 out setup
02400 deny tcp from any to any
# udp
04000 allow udp from any to any 50-53,123
04100 allow udp from any to any 1024-65535
04200 deny udp from any to any
# icmp
06000 allow icmp from any to any in icmptype 0,3,4,11,12
06100 allow icmp from any to any out icmptype 3,4,8
06200 deny icmp from any to any
# default
65535 deny ip from any to any

In this situation, using a 'dynamic ruleset' brings the box to a crawl.  However, a static ruleset works with very little cpu overhead.


Thanks

-- Matthew