On 2004-07-31 13:51, Steve Bertrand <[EMAIL PROTECTED]> wrote: > > There are many ways in which your ruleset might break. Two of the > > most > > important comments I wanted to make when I first saw the posts of this > > thread are: > > > > a) Why do you use static rule numbers? > > > > You'd only have to use static rule numbers if your ruleset > > had more than 65536/100 = 655 rules. This limit is > > relatively hard to hit in a SOHO installation (Small Office, > > Home Office). If you do reach such limits, there's > > definitely something weird going on with the way your ruleset > > is written ;-) > > > > Giorgos, I am interested in where I can get more information about > this. Are you suggesting that IPFW reads the ruleset and formulates a > rule number according to position in the script? (I always use custom > scripts).
The description of `rule number' in the ipfw(8) manpage explains the way ipfw chooses rule numbers automatically: rule_number Each rule is associated with a rule_number in the range 1..65535, with the latter reserved for the default rule. [...] If a rule is entered without specifying a number, the kernel will assign one in such a way that the rule becomes the last one before the default rule. Automatic rule numbers are assigned by incrementing the last non-default rule number by the value of the sysctl variable net.inet.ip.fw.autoinc_step which defaults to 100. This means that the largest number of rules you can add with unique numbers is 65534. The 65535 rule is the default firewall rule, either a deny rule or an allow if the kernel was compiled with the option IPFIREWALL_DEFAULT_TO_ACCEPT enabled. The autoincrement step is the number that is automatically added to rule numbers when you don't specify one. For example, note the numbers that get assigned to the rules below: [EMAIL PROTECTED]:49]/root# kldload ipfw [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# ipfw add pass ip from 127.0.0.1 to 127.0.0.1 via lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 [EMAIL PROTECTED]:49]/root# ipfw add deny ip from 127.0.0.1 to any 00200 deny ip from 127.0.0.1 to any [EMAIL PROTECTED]:49]/root# ipfw add deny ip from any to 127.0.0.1 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:49]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:49]/root# ipfw -q flush [EMAIL PROTECTED]:49]/root# kldunload ipfw [EMAIL PROTECTED]:49]/root# > If this is true, how does this ``dynamic'' feature get affected when > one houses multiple rule _sets_? If you have multiple sets of rules that you load at random times, and the rulesets do not explicitly specify a starting rule number they'll be ``stacked on top of each other'' as shown below: [EMAIL PROTECTED]:56]/root# ls -l ruleset* -rw-r--r-- 1 root wheel - 117 Aug 1 01:54 ruleset-lo0 -rw-r--r-- 1 root wheel - 61 Aug 1 01:55 ruleset-misc -rw-r--r-- 1 root wheel - 161 Aug 1 01:56 ruleset-tcp [EMAIL PROTECTED]:56]/root# cat ruleset-lo0 add allow ip from 127.0.0.1 to 127.0.0.1 via lo0 add deny ip from 127.0.0.1 to any add deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:56]/root# cat ruleset-misc add allow udp from any to any add allow icmp from any to any [EMAIL PROTECTED]:56]/root# cat ruleset-tcp add check-state add deny tcp from any to any established add allow tcp from any to any out setup keep-state add allow tcp from any to any 22 in setup keep-state [EMAIL PROTECTED]:56]/root# kldload ipfw [EMAIL PROTECTED]:57]/root# ipfw -q flush [EMAIL PROTECTED]:57]/root# ipfw show 65535 0 0 deny ip from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-misc * 00400 allow udp from any to any 00500 allow icmp from any to any [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-tcp * 00600 check-state 00700 deny tcp from any to any established 00800 allow tcp from any to any out setup keep-state 00900 allow tcp from any to any dst-port 22 in setup keep-state [EMAIL PROTECTED]:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 allow udp from any to any 00500 0 0 allow icmp from any to any 00600 0 0 check-state 00700 0 0 deny tcp from any to any established 00800 0 0 allow tcp from any to any out setup keep-state 00900 0 0 allow tcp from any to any dst-port 22 in setup keep-state 65535 0 0 deny ip from any to any Note at the two lines marked with `*' and at the `ipfw show' output how each set of rules gets attached to the end of the previous ruleset by starting to number the rules with a number higher (by 100) than the last rule of the previous ruleset. If you load the rulesets in a different order, the numbers still increase by 100 but come in a different order to match the order the sets were loaded: [EMAIL PROTECTED]:57]/root# ipfw -q flush [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-lo0 00100 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 deny ip from 127.0.0.1 to any 00300 deny ip from any to 127.0.0.1 [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-tcp * 00400 check-state 00500 deny tcp from any to any established 00600 allow tcp from any to any out setup keep-state 00700 allow tcp from any to any dst-port 22 in setup keep-state [EMAIL PROTECTED]:57]/root# ipfw /root/ruleset-misc * 00800 allow udp from any to any 00900 allow icmp from any to any [EMAIL PROTECTED]:57]/root# ipfw show 00100 0 0 allow ip from 127.0.0.1 to 127.0.0.1 via lo0 00200 0 0 deny ip from 127.0.0.1 to any 00300 0 0 deny ip from any to 127.0.0.1 00400 0 0 check-state 00500 0 0 deny tcp from any to any established 00600 0 0 allow tcp from any to any out setup keep-state 00700 0 0 allow tcp from any to any dst-port 22 in setup keep-state 00800 0 0 allow udp from any to any 00900 0 0 allow icmp from any to any 65535 0 0 deny ip from any to any > Can you please provide any links to information that I can gain > valuable information on this? This would certainly make ruleset > creation much easier ;o) > > Also, links to any information on how/what/why on the 16b/100 limit on > the dynamic rules, so I (we) can learn more about this? I'm not sure I understand this question :-/ Cheers - Giorgos _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"