Erik Trulsson wrote:
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:In which case would an ipfw ruleset like this:00100 114872026 40487887607 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00600 1585 112576 deny ip from table(0) to me 01000 90279 7325972 allow icmp from any to any 05000 475961039 334422494257 allow tcp from me to any setup keep-state 05100 634155 65779377 allow udp from me to any keep-state06022 409604 69177326 allow tcp from any to me dst-port 22 setup keep-state 06080 52159025 43182548092 allow tcp from any to me dst-port 80 setup keep-state 06443 6392366 2043532158 allow tcp from any to me dst-port 443 setup keep-state 07020 517065 292377553 allow tcp from any to me dst-port 8080 setup keep-state65400 12273387 629703212 deny log ip from any to any 65535 0 0 deny ip from any to anyIf you are using 'keep-state' should there not also be some rule containing 'check-state' ?
Not according to the ipfw(8) manual:
"""
These dynamic rules, which have a limited lifetime, are checked at the
first occurrence of a check-state, keep-state or limit rule, and
are typ-
ically used to open the firewall on-demand to legitimate traffic only.
See the STATEFUL FIREWALL and EXAMPLES Sections below for more
informa-
tion on the stateful behaviour of ipfw.
"""
I read this to mean the dynamic rules are checked at rule #5000 from the
above list. Is there an advantage to having an explicit check-state rule
in simple rulesets like this one?
signature.asc
Description: OpenPGP digital signature
