IPFW: Why can I add port numbers to established and what does that do ?

Ian Smith smithi at nimnet.asn.au
Fri Nov 17 13:22:15 UTC 2017


In freebsd-questions Digest, Vol 702, Issue 7, Message: 13
On Thu, 16 Nov 2017 16:07:47 -0800 javocado <javocado at gmail.com> wrote:

 > I think you misunderstand what I am asking - you have explained why a
 > "established" rule is needed in the ruleset.  You are correct and it is
 > something (an established rule) that I always use.

You also use 'from any to any' without specifying whether inbound to, or 
outbound from your machine, which can be dangerous unless elsewhere 
protected in your ruleset.

I would suggest studying /etc/rc.firewall as several long-proven sets 
of ipfw rules, written and maintained by our skilled security people.

The 'client' ruleset might suit you out of the box, or with small 
modifications.  For example, it shows allowing for running a mail 
server, but is otherwise restrictive on what inbound connections are 
allowed, but unrestrictive in what you can do outbound.

 > What I am saying is:  I just noticed that you can specify a port number in
 > the established rule:
 > 
 > 
 > allow tcp from any to any 22 established
 > 
 > 
 > ... which I don't understand.  In fact, I think it is a bug, but I am
 > asking to make sure.  It doesn't seem like specifying a port in the
 > established rule makes any sense ...

You can specify ports, or port ranges, or tables of ports, or addresses, 
interfaces, etc., on any TCP rule.  'established' is just a qualifier, 
meaning only that a packet does not have the SYN bit set (ie, is not a 
'setup' packet).

I use several rules that deny (or in some cases allow) established 
packets from a) certain networks or addresses in tables; and b) on 
certain ports to internal addresses that do not handle such traffic.

Do not be mislead by the IPFW Handbook page, or the rulesets there; read 
ipfw(8) and prosper.  At least start from a basically secure framework, 
even before you need to understand how it all works.

Thanks Chris Gordon for showing how ssh connections work ..

cheers, Ian


More information about the freebsd-questions mailing list