On 2003-03-20 11:56, James Long <[EMAIL PROTECTED]> wrote:
> On Thu, Mar 20, 2003 at 06:52:32PM +0200, Giorgos Keramidas wrote:
> > > use "keep-state/check-state" for everything by adding my check-state
> > > rule near the top and then adding the following rule for incoming
> > > services:
> > >
> > > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state
> >
> > As a matter of fact, you should. The 'established' keyword is not as
> > nice as a real, stateful firewall (which {keep,check}-state gives you).
>
> A learning question: First, I am working from the understanding that
> the keep-state flag results in _one_ rule from any to $inwr, but creates
> the complementary "$inwr to any" rules for the return traffic on an dynam-
> ic basis, and that there is one dynamic rule for each connection that is
> active at the time. I welcome enlightenment if I am mistaken in this.
>
> Given that one wants to run those four ports wide open to the world, won't
> "keep-state" result in the firewall creating N dynamic rules for the return
> traffic, where N is the number of connections open to those four ports?
> When N is large (i.e., when there are many connections to those ports),
> would it not result in fewer firewall rule comparisons to just run them
> wide open and be done with it?
>
> If one accepts traffic from anyone coming in to those ports, what is to
> be gained by restricting the IPs to which our server can send return
> traffic from those ports?
>
> ipfw add allow ip from any to $inwr 21,22,25,80
> ipfw add allow ip from $inwr 21,22,25,80 to any
>
> Wouldn't this result in a maximum of two rules, instead of N + 1?
True. This is probably a good way of avoiding the overhead associated
with dynamic rules. I was only comparing 'established' to '*-state' ;)
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
