----- Original Message ----- From: "Giorgos Keramidas" <[EMAIL PROTECTED]> To: "Drew Tomlinson" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, March 20, 2003 8:52 AM
> On 2003-03-19 15:19, Drew Tomlinson <[EMAIL PROTECTED]> wrote: >> I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. >> I used the rule set at >> >> http://www.bsdtoday.com/2000/December/rc.firewall.current >> >> as an example but am confused regarding the differences between >> setting rules using "setup/established" and "keep-state / >> check-state". I've read the ipfw man page and understand that >> "setup/established" matches syn/ack bits in a packet where >> "keep-state/check-state" actually creates a dynamic rule. >> But not being real knowledgeable about how IP packets are >> constructed, I'm not sure what this means in the real world. > >It means that `established' uses a very simple test of packet contents >to find out if this packet belongs to an existing connection. This >simple test is "good enough" for some packets, but will match packets >that are not part of a real, existing connection too. > >> If I understand it correctly, the example at BSDToday basically uses >> "setup/established" to allow traffic in for services that I allow. >> So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the >> rule set uses "keep-state/check-state" for connections originating >> from my internal network to the outside world. But why should I not >> use "keep-state/check-state" for everything by adding my check-state >> rule near the top and then adding the following rule for incoming >> services: >> >> ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > >As a matter of fact, you should. The 'established' keyword is not as >nice as a real, stateful firewall (which {keep,check}-state gives you). > >> I've actually done this and it is working but I'd like to know if >> this is a good or bad idea and why. > >In a reply to a private message, a few weeks ago, I tried to explain >the different to someone. Here's the message, without any names. >I hope this helps a bit :-) Thank you for the explaination. It does help. One other question I have is that I never see the "check-state" packet count incrementing. However I vaguely recall reading somewhere that it doesn't, even when packets pass via the rule. Is this correct? I'm happy to know that the "keep/check-state" rules are the way to go. It makes my rule set simpler too. Now on to traffic prioritization via dummynet! :) Thanks again, Drew To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message