Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Rad1us2015-12-19 13:20:07
FreeBSD
Rad1us, 2015-12-19 13:20:07

How does setup and keep-state work in IPFW?

Handbook quote:
"setup is a required keyword that defines the start of a session request for TCP packets.
keep-state is a required keyword. If it matches, the firewall creates a dynamic rule that will default to match bidirectional traffic between sender and destination for a given IP/port pairs over the specified protocol."
We have such a simple set of closed type rules:

#!/bin/sh
cmd="ipfw -q add"
skip="skipto 800"
pif="em0"
ks="keep-state"

ipfw -q -f flush

# LOCAL
$cmd 010 allow all from any to any via em1
$cmd 020 allow all from any to any via lo0

# NAT IN
$cmd 100 divert natd ip from any to any in via $pif
$cmd 101 check-state

# OUT
$cmd 120 $skip icmp from any to any out via $pif $ks
$cmd 130 $skip udp from any to any 53 out via $pif $ks
$cmd 140 $skip tcp from any to any 53 out via $pif setup $ks
$cmd 150 $skip tcp from any to any 80 out via $pif setup $ks
$cmd 160 $skip tcp from any to any 443 out via $pif setup $ks

# IN
$cmd 300 allow tcp from any to me 22 in via $pif setup  $ks
$cmd 700 deny ip from any to any

# SKIPTO
$cmd 800 divert natd ip from any to any out via $pif
$cmd 810 allow ip from any to any

$cmd 900 deny ip from any to any

Let's look at the example of an incoming SSH connection, as I understand it:
The packet enters the firewall from the outside, nat is triggered on the 100th rule, then the packet falls under the 300th rule, which firstly allows the packet and it exits the firewall, and secondly creates an entry in dynamic table (keep-state). The response packet hits rule 101 and flies out of the firewall, passing through the nat. The next incoming packet is processed by rules 100 and 101, and since there is already an entry for it in the dynamic table, it passes.
Studying various examples of firewall configuration, I saw a record and
$cmd 300 allow tcp from any to me 22 in via $pif setup  $ks

and
$cmd 300 allow tcp from any to me 22 in via $pif  $ks

Works in both cases. Question: what for then setup is necessary? , and given that the handbook says that setup is required for TCP sessions, I don't understand anything at all...

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
athacker, 2015-12-19
@rad1us

setup is an optional keyword. setup should be used only when for some reason you need to catch exactly the moment of establishing a TCP session, and do something with this connection (or with the SYN packet itself) in the future. In other words, if the rule contains setup, then it will only be applied to TCP packets with the SYN flag set. This is the very first packet in a TCP session and is used by the client to request a connection.
In this case, as far as I understand, the purpose of using setup is to create a dynamic rule based on the first packet in the TCP connection (SYN packet), and so that all further packets within this connection no longer fall into the rules where ports are checked and created dynamic rules.

Similar questions
S
Sergey2014-07-04 15:03:35
Why is snmpget freebsd not getting data from a pingable cisco? 3Reply
S
sbh2016-07-29 05:35:37
How to install multiple versions of php on FreeBSD 10.3? 0Reply
C
CTOPMbI42014-07-31 10:12:16
How to configure ipfw for heavy loads? 1Reply
R
Randomiser2016-09-06 14:01:36
How to solve the problem with installing NOC Project? 0Reply
I
Ivan2016-09-15 11:20:36
What is the management port responsible for? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question