Ivan Voras wrote:
Erik Trulsson wrote:
On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
In which case would an ipfw ruleset like this:

00100 114872026  40487887607 allow ip from any to any via lo0
00200         0            0 deny ip from any to 127.0.0.0/8
00300         0            0 deny ip from 127.0.0.0/8 to any
00600      1585       112576 deny ip from table(0) to me
01000     90279      7325972 allow icmp from any to any
05000 475961039 334422494257 allow tcp from me to any setup keep-state
05100    634155     65779377 allow udp from me to any keep-state
06022 409604 69177326 allow tcp from any to me dst-port 22 setup keep-state 06080 52159025 43182548092 allow tcp from any to me dst-port 80 setup keep-state 06443 6392366 2043532158 allow tcp from any to me dst-port 443 setup keep-state 07020 517065 292377553 allow tcp from any to me dst-port 8080 setup keep-state
65400  12273387    629703212 deny log ip from any to any
65535         0            0 deny ip from any to any

If you are using 'keep-state' should there not also be some rule containing
'check-state' ?

Not according to the ipfw(8) manual:

"""
     These dynamic rules, which have a limited lifetime, are checked at the
first occurrence of a check-state, keep-state or limit rule, and are typ-
     ically used to open the firewall on-demand to legitimate traffic only.
See the STATEFUL FIREWALL and EXAMPLES Sections below for more informa-
     tion on the stateful behaviour of ipfw.
"""

I read this to mean the dynamic rules are checked at rule #5000 from the above list. Is there an advantage to having an explicit check-state rule in simple rulesets like this one?

the docs are wrong then I think.




_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to