Re: IPFW Statefull rules

From: Paul Schmehl (pschmehl_at_sbcglobal.net)
Date: 12/12/03


Date: Fri, 12 Dec 2003 04:34:49 GMT

On Thu, 11 Dec 2003 14:04:58 -0700, Justin England wrote:

> I am new to IPFW, but not to firewalling / filtering in general. I have
> been reading the man pages and any tutorials that I can find. I have come
> up against something that I need some help on.
>
[snip]
>
> I am trying to use the stateful rules and have the following simple
> configuration to (start to) protect my mail server:
>
> mailserver="64.187.72.10"
>
> ${fwcmd} add check-state
>
>
> ${fwcmd} add allow tcp from any to ${mailserver} 25 keep-state setup
> ${fwcmd} add allow tcp from ${mailserver} to any 25 keep-state setup

Read the EXAMPLES section in man ipfw(8). There's a section on stateful
(or dynamic) rules, which reads:

 In order to protect a site from flood attacks involving fake TCP packets,
     it is safer to use dynamic rules:
                                                                               
           ipfw add check-state
           ipfw add deny tcp from any to any established
           ipfw add allow tcp from my-net to any setup keep-state
                                                                               
     This will let the firewall install dynamic rules only for those connec-
     tion which start with a regular SYN packet coming from the inside of our
     network. Dynamic rules are checked when encountering the first
     check-state or keep-state rule. A check-state rule should usually be
     placed near the beginning of the ruleset to minimize the amount of work
     scanning the ruleset. Your mileage may vary.

IOW, if you don't have the second line, just about any packet will trigger
*some* rule later on. If you're going to use keep-state, you only want
rules to be created for "real" connections, and you want to reject
anything that begins with a RST or ACK (established) rather than a SYN
(setup).

As others have pointed out, you *may* also need to look at the values you have
in sysctl (especially net.inet.ip.fw.dyn_ack_lifetime, btw), and if you
need to make changes, make them in /etc/sysctl.conf(5) (which you may have to
create.) The syntax of sysctl.conf is var=val - e.g.
net.inet.ip.fw.dyn_ack_lifetime=480.

There's not much more irritating than having your ssh session freeze after
dyn_ack_lifetime surpasses its TTL.

HTH.

-- 
Paul Schmehl
pschmehl@sbcglobal.net
http://www.utdallas.edu/~pauls/
Never squat with your spurs on.