Too many dynamic rules, sorry

[Micheal Patterson]

----- Original Message ----- 
From: "Norm Vilmer" <norm at etherealconsulting.com>
To: "Micheal Patterson" <micheal at tsgincorporated.com>
Cc: <freebsd-questions at freebsd.org>
Sent: Friday, September 17, 2004 11:47 AM
Subject: Re: Too many dynamic rules, sorry


> Micheal Patterson wrote:
> >
> > ----- Original Message ----- 
> > From: "Norm Vilmer" <norm at etherealconsulting.com>
> > To: "Micheal Patterson" <micheal at tsgincorporated.com>
> > Cc: <freebsd-questions at freebsd.org>
> > Sent: Friday, September 17, 2004 10:30 AM
> > Subject: Re: Too many dynamic rules, sorry
> >
> >
> > <snip>
> >
> >>I do have a check-state rule
> >>
> >>add 00200 check-state
> >>
> >>Norm Vilmer
> >
> >
> > Ok. Then right above the check-state entry, place an
> >
> > allow ip from 123.123.123/24 to 123.123.123./24
> >
> > Replace the ip's with the appropriate network/metric for your lan and
that
> > will allow lan traffic to go to itself unhindered by any stateful
checks.
> >
> > --
> >
> > Micheal Patterson
> > TSG Network Administration
> > 405-917-0600
> >
> >
> >
> would this be the same?
>
> add 00200 allow all from any to any via ${iif} keep-state
> add 00210 check-state
>
>

The goal is to not use dynamic rules for your local lan, only the traffic
from the lan to the net. Otherwise, you're wasting dynamic state table space
for rules that aren't necessary.

A very basic stateful ruleset:

ipfw add 100 allow ip from 1.1.1.0/24 to 1.1.1.0/24
ipfw add 500 check-state
ipfw add 600 allow ip from 1.1.1.0/24 to any keep-state
ipfw add 65000 deny log ip from any to any

That type of ruleset, will allow local traffic without using state table,
and the entry at 1000 will catch everything else outbound and use state
tables for it.  If it's not originating from your network, and there's no
state entry, it's blocked by 65000.

--

Micheal Patterson
TSG Network Administration
405-917-0600