Differences between ipfw and iptables and Research on established

Source: Internet
Author: User

 

Form: http://hi.baidu.com/x13ky

I have been familiar with linux before. Whether it's the redhat series or debian series, its firewalls are all iptables, which is quite familiar.

I recently came into contact with freebsd and found that ipfw was really hard to understand at first, especially when iptables was in your mind :)

In the end, it is more reliable to read man and manual carefully. Write something and forget it for your reference.

I. Status in iptables and dynamic rules in ipfw

In iptables, NEW indicates the first connection, that is, syn, and ESTABLISHED indicates the subsequent normal sessions;

In ipfw, you need to check-state before dynamic rules can be created. The next packet requires keep-state. If it is the first tcp request, it is setup. The worst thing to understand is that the established package is to be rejected. check-state in front of ipfw indicates that all the subsequent packages are passed, but the established package is a package with ack, it is an abnormal package, so it must be killed. In addition, there is also a frag package, which is hard to explain. Please refer to the following English comments.

# Deny any late arriving packets
$ Cmd 00330 deny all from any to any frag in via $ pif

# Deny ACK packets that did not match the dynamic rule table
$ Cmd 00332 deny tcp from any to any established in via $ pif

Sometimes the English language can express the meaning more accurately.

Ii. Differences between ipfw enable/disable firewall and service iptables start/stop

In linux iptables, if you stop, the rule list displayed by iptables-nvL is empty;

In freebsd ipfw, you are disable, but the rules are still valid when you use ipfw show. Once you use ipfw enable firewall, you will still use those rules.

Iptables-F has the same effect as ipfw-q-f flush. Such an execution clears all rules, but there is a default policy, if the Default policy is deny, you will be disconnected, so do not execute this command separately :)

Iii. Research on Some Questions about ipfw scripts

The following requirements:

1. Allow machines from 192.168.70.0/24 to ping the local machine;
2. Allow ssh local hosts from 192.168.70.0/24, 10.10.33.0/24;
3. allow hosts from 192.168.70.0/24 to connect to the local machine through ftp;
4. No output restrictions
Write the following script:
#! /Bin/sh
Cmd = "ipfw-q add"
Inf = "em0"
###### Init rules
Ipfw-q-f flush
$ Cmd 00100 allow ip from any to any via lo0
$ Cmd 00200 check-state
$ Cmd 00300 deny all from any to any frag in via $ inf
$ Cmd 00400 deny tcp from any to any established in via $ inf
###### Input rules (ssh, ftp, icmp)
$ Cmd 00600 allow icmp from 192.168.70.0/24 to me keep-state
$ Cmd 00601 allow tcp from 192.168.70.0/24, 10.10.33.0/24 to me 22 setup keep-state
$ Cmd 00602 allow tcp from 192.168.70.0/24 to me 21 setup keep-state
###### Output rules
# $ Cmd 00700 allow icmp from 192.168.70.0/24 to me keep-state
$ Cmd 00700 allow all from me to any keep-state
###### Defalut rules (log)
$ Cmd 64000 deny log icmp from any to any
$ Cmd 65000 deny udp from any to any

In this way, putty will be connected to the machine, and the script will be disconnected after it is executed again. Only the session can be restarted, as shown below:

Root @ freebsd [/home/xysky] #./a. sh
Root @ freebsd [/home/xysky] #========== disconnected here, right-click putty -- restart the session and connect again !!!!! (If you only execute ipfw-q-f flush, the command will be disconnected and no # Will be output. Output The following # indicates that the above./a. sh has been executed)
Login as: root ===== restart the session, connected, to log on
Using keyboard-interactive authentication.
Password:
Last login: Sat Jul 23 09:28:38 2011 from 192.168.70.26
Copyright (c) 1980,198 3, 1986,198 8, 1990,199 1, 1993,199 4
The Regents of the University of California. All rights reserved.

FreeBSD 8.2-RELEASE (GENERIC) #0: Fri Feb 18 02:24:46 UTC 2011

Welcome To Here :)
Root @ freebsd [/root] #
My personal guess was that ipfw-q-f slush cleared the rules, but there is also the default rule deny, so it is broken. These rules will take effect later and can be connected. However, the execution of a script is complete at once. In the past, iptables was not the same.-F was the first, but since-P is drop by default, it will not be disconnected, and this damn ipfw script will always be disconnected, so it is very uncomfortable.

Later I carefully read the log (I need to put the deny with the log and ipfw enable verbose in advance) and found that

Jul 23 10:12:36 freebsd kernel: ipfw: 400 Deny TCP 192.168.70.xxx: 4196 10.10.26.xxx: 22 in via em0

The rule for 400 is:

00400 11 2000 deny log tcp from any to any established in via em0

I understand why, because the previously connected ssh package, in the current ipfw's view, belongs to the established package, with ack, however, these packages are not processed by the check-state at the moment, so they are killed. Sweat !!! You can only re-open one connection, and it will be processed by check-state.

If you do not want to restart the connection, you can also disable deny for the established package in the rule. The problem that arises is that a hacker takes an nmap-sA to scan your ipfw, so it is not recommended to do so.

However, general rules won't be executed at will, so this is just a study :)

Finally, I am very grateful for the help of 9you winsky, showrun, 360, and other buddies. Thank you.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.