There are 3 classes of rules in IPFW, each class has separate packet interrogation abilities. Each proceeding class has greater packet interrogation abilities than the previous one. These are stateless, simple stateful, and advanced stateful. The advanced stateful rule class is the only class having technically advanced interrogation abilities capable of defending against the flood of different attack methods currently employed by perpetrators. Stateless and Simple Stateful IPFW firewall rules are inadequate to protect the users system in today's internet environment and leaves the user unknowingly believing they are protected when in reality they are not.
The advanced stateful rule option keep-state works as documented only when used in a rule set that does not use the divert rule. Simply stated the IPFW advanced stateful rule option keep-state does not function correctly when used in a IPFW firewall that also is using the IPFW built in NATD function. For the most complete keep-state protection the other FIREWALL solution (IPFILTER) that comes with FBSD should be used. Just checkout the IPFW list archives and you will see this subject discussed in detail with out any solution forthcoming. http://www.obfuscation.org/ipf/ http://www.obfuscation.org/ipf/ipf-howto.html -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Petre Bandac Sent: Sunday, February 02, 2003 4:51 AM To: [EMAIL PROTECTED] Subject: ipfw firewall questions hello I'm about to "compose" my first ipfw firewall - and, since I have worked quite a lot with iptables, I'm interesed in a few minor similarities: 1 - the firewall is called by rc.conf ? or ca I call it at boot time via whatever *.sh placed in the right place 2 - the firewall can be a executable bash script (i.e. like a regular linux firewall, with variables like myIP="192.168.0.0") ? I guess the rest is covered in the docs I have carefully RTFM :-) thanks, petre -- Login: petre Name: Petre Bandac Directory: /home/petre Shell: /usr/local/bin/zsh On since Fri Jan 31 20:40 (EET) on ttyv1, idle 1 day 14:58 (messages off) On since Sun Feb 2 09:28 (EET) on ttyp0, idle 1:15, from :0 On since Sun Feb 2 09:43 (EET) on ttyp1, idle 1:31, from :0 On since Fri Jan 31 23:46 (EET) on ttyp2, idle 0:02, from :0 On since Sun Feb 2 11:07 (EET) on ttyp3, idle 0:24, from :0 No Mail. No Plan. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message