Configuring IPFW
Robert Bonomi
bonomi at mail.r-bonomi.com
Sat Oct 22 17:33:26 UTC 2011
> Date: Sat, 22 Oct 2011 12:08:56 -0500
> To: FreeBSD <freebsd-questions at freebsd.org>
> Subject: Re: Configuring IPFW
>
> On Sat, 22 Oct 2011 09:56:12 -0400
> Carmel <carmel_ny at hotmail.com> wrote:
>
> > I am attempting to set up a firewall using IPFW with a stateful
> > behavior.
> >
> > While I have investigated how to set up these rules, I have run into
> > conflicting opinions as to whether to all or deny "established"
> > behavior.
> >
> > EXAMPLE: (preceded by a "checkstate" rule)
> >
> > allow tcp from any to any established
> >
> >
> > Some documentation states that it should be denied and others say it
> > should be allowed. Neither has given me a convincing reason to follow
> > either scenario or any real documentation either for that fact.
> >
> > If possible, could someone with some real firewall knowledge and
> > familiarity with IPFW please give me some advice.
> >
> > Thanks!
> >
>
> Well, assuming that you're only allowing the connections you actually
> want to be be established to be setup in the first place, then the
> logical thing is to then allow any already established connections.
This, of course, ignores the possibility that a 'bad guy' might send
an initial packet _without_ the 'SYN' flag set. <grin>
> All of your tcp "allow" rules should include the setup keyword, as well
> as keep-state. This way, only connections that are doing a first-time
> setup will be allowed, and their state will be remembered, for later
> checking using the check-state keyword.
Now *THAT*, done _properly_, closes the aforementioned hole. :)
More information about the freebsd-questions
mailing list