Home > ipfw > ipfw - purpose of outgoing keep-state?

ipfw - purpose of outgoing keep-state?

May 28Hits:1

I'm looking over the ipfw rules for our webserver and it struck me that we use check/keep-state on all outgoing traffic. We only have a handful ports open in both directions. We dont have much outgoing traffic, and 99% of it is on port 80 (PHP/CURL for example). There could be a potential risk of filling up the state table, so i'm thinking maybe its unnecessary to use keep-state at all. We dont use it on ingoing (for obvious reasons). What in general is the purpose of using out keep-state?


Outgoing keep-state opens the ports dynamically for replies to outgoing traffic. These reply packets could come back on any port so keep-state reduces the exposure while opening the random ports used from the external service allowing the reply packets back in. In special cases a server could run without keep-state, no externally bound traffic, but in practice most systems use external services. A multi-tiered system could be setup to reply on specific ports but the default configuration for most general use services is; known port inbound - random port outbound. DNS, outbound email, remote logging, ping, load balance or watchdog heartbeats, pager/cell phone notifications, some or all are common outbound traffic on servers that "don't have outbound traffic".


Related Articles

  • ipfw - purpose of outgoing keep-state?May 28

    I'm looking over the ipfw rules for our webserver and it struck me that we use check/keep-state on all outgoing traffic. We only have a handful ports open in both directions. We dont have much outgoing traffic, and 99% of it is on port 80 (PHP/CURL f

  • Server unable to communicate OUT, fine serving trafficNovember 19

    We have several servers that are randomly loses the ability to communicate out to other nodes on the local network and internet. However websites are being served fine and we still have ssh access. A reboot seems to fix the problem for a few days. Th

  • VPN from Windows XP to OpenSwan: correct setup?February 28

    Main question is what I am doing wrong in my OpenSwan or L2TP client setup? I am trying to create a Linux OpenSwan VPN connection from Windows XP machine, using preshared key and the builtin Windows XP L2TP IPsec option. I have followed the instructi

  • If I have two internet connections on osx, how can I use both to increase my bandwidth?December 2

    I understand that any one connection (such as a non-p2p download) will use just one of the connections, but since most normal activity involves multiple connections at once, I can still in theory increase my overall bandwidth by sending some traffic

  • What is a stateful firewall and how does it work? November 7

    Could someone, please, explain what a statefull firewall is and how it works? Also, it would be helpful if you can compare it to a stateless firewall. --------------Solutions------------- Stateful means it tracks connections, looks at the 3 way hands

  • Block all outgoing connection attempts as per application via ipfwNovember 8

    I need to block all outgoing connection attempts made by a particular app in order to prevent it from downloading updates automatically via ipfw? --------------Solutions------------- You could try to edit the hosts file and redirect the application's

  • IPFW Forward outgoing trafficDecember 3

    So i have a single BSD firewall using NATD and IPFW. This firewall has 5 static IP's assigned to it. Using NATD i can easily forward and entire external ip to an internal ip. But when the internal server sends it's response how do i get it to come ou

  • FreeBSD IP aliases in different subnets and default outgoing IP addressMarch 8

    I have a FreeBSD VPS that until recently had assigned 3 public ip addresses in a /29 subnet. When making outgoing connections, the IP address used was always the non aliased one ".20", however now I have added another block of 3 ip addresses in

  • Whether to filter (for spam, viruses) outgoing mail or not?November 5

    The purpose of this questions, is to understand pros and cons of filtering outgoing mail. I am admin of an ISP. As usual, users, who have dynamic IPs, can send mail only with ISP's SMTP server. Nowadays users can send mail without authorization insid

  • Does PF support divert like IPFW?November 30

    I'm currently using IPFW on 3 dedicated firewall servers, and I would like to convert them to PF for some of its functionalities, but I need divert to work. Specifically I am teeing packets to a custom application for network analysis purposes. Is it

  • Any good utility to track outgoing traffic and requests from win PC?

    Any good utility to track outgoing traffic and requests from win PC? January 22

    Possible Duplicate: Monitor all and any internet traffic from my home PC - what should I use? Hello, need an advice if there is any good utility to track all outgoing traffic, requests to internet, hosts etc from my home win PC? Just want to keep tra

  • Is there a way to determine which service (in svchost.exe) does an outgoing connection?

    Is there a way to determine which service (in svchost.exe) does an outgoing connection?March 19

    I'm redoing my firewall configuration with more restrictive policies and I would like to determine the provenance (and/or destination) of some outgoing connections. I have an issue because they come from svchost.exe and go to web content/application

  • How can I make WinXP bind to ports other than 1025-5000 for outgoing TCP connections?April 13

    (I originally posted a similar question on StackOverflow but readers recommended I post here instead) When you create outgoing TCP connections, most applications let the operating system choose which port to use. Most OSes use the IANA recommended dy

  • SFTP being blocked outgoingSeptember 8

    I have an issue where on my server sftp is being allowed in but from the server I cannot go out. I have modified the packet filter to allow this. The rules I have added are as follows SFTP Incomming Protocol: TCP Source Port: Any Destination Port: 22

  • Block incoming mails; allow outgoing mailsMarch 27

    Our server hosts various domains, half of them using Google Apps for their e-mail and the other half simply does not use any domain e-mail accounts. However, the websites and applications (eg crons, firewall) on the server need to send out mail. For

  • How to block outgoing connections from process/user on FreeBSD?May 4

    My server executes third party software which processes user submitted files. I want to block outgoing connections from my process. How can I do it in FreeBSD? --------------Solutions------------- I think you're looking for a jail. This is a restrict

  • Any tips for blocking an address range for outgoing packets?December 18

    Anyone used ipfw or pfctl to block an IP address range for outgoing packets? I would like to temporarily block Apple's IP address range 17.*.*.* to find everything that's phoning home phoning home. Anyone know if Apple owns any other IP address range

  • What port range will ipfw nat use for aliasing?January 8

    I am using ipfw nat with the following config ipfw -q nat 1 config if em0 Which TCP and UDP ranges will the NAT choose its alias ports from? I would like it to be always from the range 49152–65535, so that I can do: add allow tcp from any to me 22 ad

  • Can I use divert as an alternative to ipfw fwd?March 5

    I would like to lead some traffic through a transparent proxy (which actually is on another server and connected with an ssh tunnel). Normally I could do this: ipfw add forward localhost,8080 tcp from any to x.x.x.x 80 However, fwd/forward needs a re

  • How can I disable all outgoing emails from a site all at once?March 14

    There are some automated outgoing emails from my Drupal site like by core system mail, ubercart, webform and Rules. The reason is that I also have a test site which is exactly the copy of the production site. And I would like to disable all the outgo

Copyright (C) 2018 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.322 s.