# IPFW stateful



## Junaid (May 23, 2011)

Hi,


```
ipfw add ### check-state
ipfw add ### permit tcp from any to 192.168.1.5 80 setup keep-state
ipfw add ### permit tcp from 192.168.1.0/24 to any setup keep-state
ipfw add ### permit all from 192.168.1.0.24 to any keep-state
ipfw add ### deny log all from any to 192.168.1.0/24
```

This should allow me to run a webserver and drop all other packets to 192.168.1.5. Allow all lan traffic to go out, while only allowing internally initiated traffic to come back.

I think there is something wrong! Please correct my mistake.


----------



## DutchDaemon (May 23, 2011)

Does *ipfw list* and/or *ipfw show* (I forget which one prints the loaded ruleset) actually print those rules as active?


----------



## wblock@ (May 23, 2011)

What is the problem?  At a guess, I'd say you can't get to the webserver except from the LAN because there aren't any rules to redirect outside connections to the webserver.


----------



## Junaid (May 24, 2011)

Well NAT is taken care of by PPP.

```
ipfw add ### check-state
ipfw add ### permit tcp from any to 192.168.1.5 80 setup keep-state
ipfw add ### permit tcp from 192.168.1.0/24 to any setup keep-state
ipfw add ### permit all from 192.168.1.0.24 to any keep-state
ipfw add ### deny log all from any to 192.168.1.0/24
```

So I am thinking check-state would check the dynamic rules if no match is found it moves to next rule right? Then I have allowed all connections to port 80 on 192.168.1.5. Setup and keep-state is useful here or not? Then any tcp connection from internal lan is allowed with setup and keep-state means no one from outside can initiate connections? Allowed all other services from lan with keep-state and at the end deny everything else and this should include connections initiated from outside?


----------



## qsecofr (May 24, 2011)

I'm not sure I understand where you're experiencing a problem.  Can all your private lan traffic go out & return?  Can the outside world access your webserver, and can your webserver respond?  Can your private lan access your webserver?  Are unwanted packets getting in?

You didn't post any failed packets from /var/log/security.

You may wish to test the inclusion of some extra rules to aid the diagnosis of your problem.  Read up on frag & established, though, and verify they don't pose a risk for you before adding them to your rule set.


```
ipfw add ### check-state
ipfw add ### permit log all from any to any frag
ipfw add ### permit log all from any to 192.168.1.5 established
ipfw add ### permit tcp from any to 192.168.1.5 80 setup keep-state
ipfw add ### permit tcp from 192.168.1.5 80 to any setup keep-state
etc...
```

For me, I had an issue in the past with fragments.  And established catches some packets that check-state doesn't seem to.  Check the logs for failed packets.

```
ipfw -d show
```
 will display the stateful connections too.


----------

