download

Chapter 12It is always a good idea to clear all existing firewall rules by specifying theflush command in the first line of the configuration file.A sample ruleset file looks like the following code:flushadd check-stateadd allow tcp from me to any setup keep-stateadd allow tcp from 192.168.1.0/24 to me keep-stateadd allow ip from 10.1.1.0/24 to meadd allow ip from any to anyThe above example shows a typical ruleset file that is loaded from the command lineor from rc.conf, upon system startup, as mentioned earlier.This sample also illustrates a stateful ruleset. A stateful ruleset is a set that containsone or more keep-state keywords. Once a packet matches a rule with a keep-statekeyword, a "dynamic rule" with the exact information about the matched packet, anda limited lifetime, is created automatically. This will let the firewall pass the trafficfor this specific traffic flow, without checking further rules in the ruleset.To make this happen, you should add a check-state rule before any other statefulstatement (the first line in your ruleset would be a good idea; but you can relocate itto any place of your choice depending on your firewall configuration).Once a check-state is seen in a firewall ruleset, the packet will be checked againstall dynamic rules.To see a list of existing dynamic rules, you should use -d in conjunction with theipfw show command as shown here:# ipfw -d show00010 0 0 check-state00020 9562 4123 allow tcp from me to any setup keep-state00030 718 9965 allow tcp from 192.168.1.0/24 to me keep-state00040 618 6565 allow ip from 10.1.1.0/24 to me00100 1671 2734 allow ip from any to any65535 465 4556 deny ip from any to any## Dynamic rules (4):00020 1024 53913 (242s) STATE tcp 192.168.1.2 63142 210.21.10.239 44300020 0 734 (239s) STATE tcp 192.168.1.2 49313 209.216.195.2 8000020 12032 495902 (177s) STATE tcp 192.168.1.2 56770 72.14.215.998000020 10752 571074 (287s) STATE tcp 192.168.1.2 55407 84.241.58.34443[ 189 ]