ipfilter: where to use 'keep state'

ipfilter: where to use 'keep state'

Post by thehijac.. » Sun, 28 Oct 2001 10:22:31



I've read many how-to's und faq's about ipf and ipnat... But I still
can't quite figure out where to use keep state.

The Firewall has 3 NIC's. (LAN, DMZ, Internet).

e.g a connection from the web to my httpd server in the DMZ:

should I add the 'flags S keep state' at the external adapter as 'pass
in' or on the internal DMZ adapter as 'pass out'? or both?

----------------------
pass in quick on ep2 proto tcp from any to 192.168.112.201/32 port =
80 flags S keep state
pass out quick on ep1 proto tcp from any to 192.168.112.201/32 port =
80
----------------------

OR

----------------------
pass in quick on ep2 proto tcp from any to 192.168.112.201/32 port =
80
pass out quick on ep1 proto tcp from any to 192.168.112.201/32 port =
80 flags S keep state
----------------------

OR

----------------------
pass in quick on ep2 proto tcp from any to 192.168.112.201/32 port =
80 flags S keep state
pass out quick on ep1 proto tcp from any to 192.168.112.201/32 port =
80 flags S keep state
----------------------

???

can anyone help? steven

 
 
 

ipfilter: where to use 'keep state'

Post by Raphael Marmie » Tue, 30 Oct 2001 23:04:15



> I've read many how-to's und faq's about ipf and ipnat... But I still
> can't quite figure out where to use keep state.

> The Firewall has 3 NIC's. (LAN, DMZ, Internet).

> e.g a connection from the web to my httpd server in the DMZ:

> should I add the 'flags S keep state' at the external adapter as 'pass
> in' or on the internal DMZ adapter as 'pass out'? or both?

I suppose you can do both. I would pass in on external adapter proto tcp
port 80 going to DMZ adapter with keep state and block everything else.
Don't forget to write rules to allow outgoing connec from your networks. Use
keep state in this case as well to allow response from the internet on these
connection only.

This way, you really ban all traffic not explicitely allowed or responding
to a outgoing session.

I hope this help, I'm farely newbie too.

Raphael

 
 
 

1. Combining NATD with IPFW's "keep-state" and "check-state" rules

I'm having some difficulty creating a customized firewall
configuration that uses both address translation and stateful
inspection.  Here's what I'm trying to do:

 1. protect against IP spoofing, both in- and outbound

 2. allow inbound SMTP, FTP, HTTP, and DNS traffic to various hosts
    behind the firewall, statefully (and using NAT)

 3. filter outbound traffic (e.g. only HTTP, FTP, DNS, NTP, RealAudio,
    etc.), statefully, hiding behind the Firewall's external IP.

 4. filter IPSEC-encapsulated traffic

Thanks to /etc/rc.firewall, I've got rules for #1 (admittedly, proper
placement around "divert" and "check-state" rules is going to be an
issue), but the others elude me, especially since the available
documentation (the Handbook, the FAQ, the manual pages, FreeBSD
problem reports, the default firewall rule base in /etc/rc.firewall,
and the contents of /usr/share/examples) is pretty short on examples
of advanced usage.

If someone could point me to alternate resources, especially advanced
IPFW and NATD configurations, I would be very grateful.  I would also
be glad to share my firewall configuration in order to learn these
more advanced techniques.

Kind regards,
#\Matthew

--
"We know for certain only when we know little.  With knowlege, doubt
increases." - Goethe

2. writing shared libraries

3. PF vs IPF keep state rules (was 'ipf to pf rules conversion problems')

4. 3com HomeConnect USB Camera??

5. 'Invalid state' when using stateful ipfw

6. Horrible ls BUG!

7. 'top' output -> High CPU consumption when thread is in 'sleep' state

8. Serial Programming in POSIX

9. Using 'nohup' w/o keeping session open

10. Where is 'nodename' & 'hostname' kept

11. about remove 'LF' but keep 'CR/LF'

12. paralel port - doesn't keep pins states

13. Task States; can't kill 'D' tasks