On May 24, 2005, at 4:28 PM, Stephane Raimbault wrote:
That's very interesting and makes sense. I do not have the check-
state in there, and just specify each port that is open, I'm
guessing I did not run into this problem with anything else, as dns
is a very stateful type of protocol?
DNS is more complicated than simple UDP-only protocols, sure. If you
have DNS problems, lots of other stuff won't work so well, either.
Would this be hand with an FTP server, right now I just tell the
ftp server to use specific
^^^^ "hard"?
passive ports, and open up the firewall to allow connections on
there. Would I be able to elmininate that with simply setting up
check-state and also having keep-state at the end of the tcp allow
rules ?
Active mode FTP is another hard case to deal with, but most clients
and servers support passive-mode FTP now, which works better over a
firewall or NAT situation.
If no check-state rule is specified, IPFW uses a fallback where it
supposedly looks for keep-state rules or limit rules, instead. But
yes, if you are going to use keep-state rules, you should have a
check-state rule, too. Only, it's better to put that rule sooner
rather than later, to reduce the amount of work the firewall has to
do for established connections.
--
-Chuck
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
