Ivan Voras wrote:
Erik Trulsson wrote:
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
In which case would an ipfw ruleset like this:
00100 114872026 40487887607 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00600 1585 112576 deny ip from table(0) to me
01000 90279 7325972 allow icmp from any to any
05000 475961039 334422494257 allow tcp from me to any setup keep-state
05100 634155 65779377 allow udp from me to any keep-state
06022 409604 69177326 allow tcp from any to me dst-port 22
setup keep-state
06080 52159025 43182548092 allow tcp from any to me dst-port 80
setup keep-state
06443 6392366 2043532158 allow tcp from any to me dst-port 443
setup keep-state
07020 517065 292377553 allow tcp from any to me dst-port 8080
setup keep-state
65400 12273387 629703212 deny log ip from any to any
65535 0 0 deny ip from any to any
If you are using 'keep-state' should there not also be some rule
containing
'check-state' ?
Not according to the ipfw(8) manual:
"""
These dynamic rules, which have a limited lifetime, are checked at the
first occurrence of a check-state, keep-state or limit rule, and
are typ-
ically used to open the firewall on-demand to legitimate traffic only.
See the STATEFUL FIREWALL and EXAMPLES Sections below for more
informa-
tion on the stateful behaviour of ipfw.
"""
I read this to mean the dynamic rules are checked at rule #5000 from the
above list. Is there an advantage to having an explicit check-state rule
in simple rulesets like this one?
the docs are wrong then I think.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"