On 2003-03-20 11:56, James Long <[EMAIL PROTECTED]> wrote: > On Thu, Mar 20, 2003 at 06:52:32PM +0200, Giorgos Keramidas wrote: > > > use "keep-state/check-state" for everything by adding my check-state > > > rule near the top and then adding the following rule for incoming > > > services: > > > > > > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > > > > As a matter of fact, you should. The 'established' keyword is not as > > nice as a real, stateful firewall (which {keep,check}-state gives you). > > A learning question: First, I am working from the understanding that > the keep-state flag results in _one_ rule from any to $inwr, but creates > the complementary "$inwr to any" rules for the return traffic on an dynam- > ic basis, and that there is one dynamic rule for each connection that is > active at the time. I welcome enlightenment if I am mistaken in this. > > Given that one wants to run those four ports wide open to the world, won't > "keep-state" result in the firewall creating N dynamic rules for the return > traffic, where N is the number of connections open to those four ports? > When N is large (i.e., when there are many connections to those ports), > would it not result in fewer firewall rule comparisons to just run them > wide open and be done with it? > > If one accepts traffic from anyone coming in to those ports, what is to > be gained by restricting the IPs to which our server can send return > traffic from those ports? > > ipfw add allow ip from any to $inwr 21,22,25,80 > ipfw add allow ip from $inwr 21,22,25,80 to any > > Wouldn't this result in a maximum of two rules, instead of N + 1?
True. This is probably a good way of avoiding the overhead associated with dynamic rules. I was only comparing 'established' to '*-state' ;) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message