IPFW: Why can I add port numbers to established and what does that do ?
Ian Smith
smithi at nimnet.asn.au
Fri Nov 17 13:22:15 UTC 2017
In freebsd-questions Digest, Vol 702, Issue 7, Message: 13
On Thu, 16 Nov 2017 16:07:47 -0800 javocado <javocado at gmail.com> wrote:
> I think you misunderstand what I am asking - you have explained why a
> "established" rule is needed in the ruleset. You are correct and it is
> something (an established rule) that I always use.
You also use 'from any to any' without specifying whether inbound to, or
outbound from your machine, which can be dangerous unless elsewhere
protected in your ruleset.
I would suggest studying /etc/rc.firewall as several long-proven sets
of ipfw rules, written and maintained by our skilled security people.
The 'client' ruleset might suit you out of the box, or with small
modifications. For example, it shows allowing for running a mail
server, but is otherwise restrictive on what inbound connections are
allowed, but unrestrictive in what you can do outbound.
> What I am saying is: I just noticed that you can specify a port number in
> the established rule:
>
>
> allow tcp from any to any 22 established
>
>
> ... which I don't understand. In fact, I think it is a bug, but I am
> asking to make sure. It doesn't seem like specifying a port in the
> established rule makes any sense ...
You can specify ports, or port ranges, or tables of ports, or addresses,
interfaces, etc., on any TCP rule. 'established' is just a qualifier,
meaning only that a packet does not have the SYN bit set (ie, is not a
'setup' packet).
I use several rules that deny (or in some cases allow) established
packets from a) certain networks or addresses in tables; and b) on
certain ports to internal addresses that do not handle such traffic.
Do not be mislead by the IPFW Handbook page, or the rulesets there; read
ipfw(8) and prosper. At least start from a basically secure framework,
even before you need to understand how it all works.
Thanks Chris Gordon for showing how ssh connections work ..
cheers, Ian
More information about the freebsd-questions
mailing list