Re: IPFW Statefull rules

From: Paul Schmehl (
Date: 12/12/03

Date: Fri, 12 Dec 2003 04:34:49 GMT

On Thu, 11 Dec 2003 14:04:58 -0700, Justin England wrote:

> I am new to IPFW, but not to firewalling / filtering in general. I have
> been reading the man pages and any tutorials that I can find. I have come
> up against something that I need some help on.
> I am trying to use the stateful rules and have the following simple
> configuration to (start to) protect my mail server:
> mailserver=""
> ${fwcmd} add check-state
> ${fwcmd} add allow tcp from any to ${mailserver} 25 keep-state setup
> ${fwcmd} add allow tcp from ${mailserver} to any 25 keep-state setup

Read the EXAMPLES section in man ipfw(8). There's a section on stateful
(or dynamic) rules, which reads:

 In order to protect a site from flood attacks involving fake TCP packets,
     it is safer to use dynamic rules:
           ipfw add check-state
           ipfw add deny tcp from any to any established
           ipfw add allow tcp from my-net to any setup keep-state
     This will let the firewall install dynamic rules only for those connec-
     tion which start with a regular SYN packet coming from the inside of our
     network. Dynamic rules are checked when encountering the first
     check-state or keep-state rule. A check-state rule should usually be
     placed near the beginning of the ruleset to minimize the amount of work
     scanning the ruleset. Your mileage may vary.

IOW, if you don't have the second line, just about any packet will trigger
*some* rule later on. If you're going to use keep-state, you only want
rules to be created for "real" connections, and you want to reject
anything that begins with a RST or ACK (established) rather than a SYN

As others have pointed out, you *may* also need to look at the values you have
in sysctl (especially net.inet.ip.fw.dyn_ack_lifetime, btw), and if you
need to make changes, make them in /etc/sysctl.conf(5) (which you may have to
create.) The syntax of sysctl.conf is var=val - e.g.

There's not much more irritating than having your ssh session freeze after
dyn_ack_lifetime surpasses its TTL.


Paul Schmehl
Never squat with your spurs on.

Relevant Pages

  • Re: ipfw rules
    ... >> If the ruleset includes one or more rules with the keep-state or limit ... >> ports) of the matching packet. ... >> These dynamic rules, which have a limited lifetime, are checked at the ... > packets will be rematched before check-state. ...
  • RE: FW1 External Ruleset validation tools?
    ... FW1 External Ruleset validation tools? ... > What is the easiest way to find out what rule line the supposed packet ... in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system. ... technology powered by the award-winning FoundScan engine. ...
  • Re: iptables udp and output
    ... So, here's the ruleset, re-ordered to provide a clearer view to ... you drop all fragments past the first one of each fragmented packet. ... This is the typical problem to making too selective matches in iptables ... the host and port that were marked as destination in the outgoing UDP packet). ...
  • Re: [fw-wiz] CERT vulnerability note VU# 539363 (fwd)
    ... > In my experience, ruleset lookup hits on stateless packet ... > packet packet forwarding rules at the top of the ruleset. ...
  • Re: IPFW: combining "divert natd" with "keep-state"
    ... >## dynamic rules for internal clients access to everything ... If I follow one TCP packet all the way out to the Internet and ... A - request packet incoming on xl0 ... Trip A matches rule 400 and is accepted, ...