FreeBSD IPFW/IPFILTER & sysctl MIB's
Crist J. Clark
cristjc at comcast.net
Tue Dec 9 21:51:27 PST 2003
On Sun, Dec 07, 2003 at 11:49:42AM -0500, fbsd_user wrote:
[snip]
How's it goin', fbsd_user? Been a while.
> The question is, who get access to the packets first, these MIB's
> or the firewall?
There is no simple answer to this. The MIB values affect behaviors
within the kernel. The important parts of ipfw(8) and ipf(8) are code
inside of the kernel. The some of the behavior of ipfw(8) and ipf(8)
themselves are controlled by sysctl(8) knobs,
net.inet.ip.fw.enable
net.inet.ip.fw.one_pass
net.inet.ip.fw.debug
net.inet.ip.fw.verbose
...
net.inet.ipf.fr_flags
net.inet.ipf.fr_pass
net.inet.ipf.fr_active
net.inet.ipf.fr_tcpidletimeout
...
Whether a specific entry in the sysctl(8) MIB has an effect felt
before a packet gets to ipfw(8) or ipf(8) processing depends on that
specific entry.
And just because the feature enabled by the sysctl(8) knob occurs
after firewall processing does not mean it is useless. Packets that
are allowed through the firewall still will be affected by their
settings. For example, you set net.inet.tcp.drop_synfin and have a
rule like,
02000 pass tcp from any to ${smtpsrv} 25
For your mail server. You do not need to add an explicit drop rule for
SYN+FIN packets in your firewall rules (or more likely, you are
protected if you forget such a rule).
--
Crist J. Clark | cjclark at alum.mit.edu
| cjclark at jhu.edu
http://people.freebsd.org/~cjc/ | cjc at freebsd.org
More information about the freebsd-questions
mailing list