Too many dynamic rules, sorry
Dave McCammon
davemac11 at yahoo.com
Fri Sep 17 09:16:18 PDT 2004
--- Bill Moran <wmoran at potentialtech.com> wrote:
> Rob <spamrefuse at yahoo.com> wrote:
>
> > Norm Vilmer wrote:
> > > Here are the rules that I have that keep-state
> on the outside interface:
> > >
> > > #For DNS
> > > add 01300 pass udp from ${oip} to any 53
> keep-state
> > > # For NTP
> > > add 01400 pass udp from ${oip} to any 123
> keep-state
> > > # For VPN
> > > add 01500 pass gre from any to any keep-state
> > > # For ICMP
> > > add 01600 pass icmp from any to any via ${oip}
> keep-state
> > >
> > > Do you think these are causing the problem?
> >
> > Aren't udp and icmp state-less protocols?
> > In that case, keep-state would not make much
> sense.
> >
> > I use 'keep-state' only for tcp rules.
> >
> > I may be wrong, moreover, I haven't followed the
> full thread :).
>
> You'll generally need to keep state on UDP when you
> play online games.
>
> If you're smart, you don't allow arbitrary UDP
> packets from the outside
> world into your network, but if you're playing
> Unreal or something, then
> all communication is via UDP, and you won't be able
> to play.
>
> The best solution is to allow all UDP traffic to
> _leave_, while keeping
> state. the keep-state remembers the ip/port
> information on the outgoing
> packets, and thus allows return packets to get back
> in (by matching the
> ip/port pair).
>
> Now, when you know the port, it doesn't really make
> sense to use
> keep-state, and all you're really doing is spamming
> your state tables.
>
> If you look in the /etc/rc.firewall that ships with
> FreeBSD, you'll see
> these rules (designed to handle running a DNS
> server):
> # Allow access to our DNS
> ${fwcmd} add pass tcp from any to ${oip} 53
> setup
> ${fwcmd} add pass udp from any to ${oip} 53
> ${fwcmd} add pass udp from ${oip} 53 to any
>
> Granted, it's three rules instead of 1, but it does
> not use your state
> tables unnecessarily (sp?)
>
> HTH.
>
> --
> Bill Moran
> Potential Technologies
> http://www.potentialtech.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
>
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
>
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
More information about the freebsd-questions
mailing list