JJB wrote:

First indication is the hit count on the check-state rule. It's zero
which means there is never an match in the keep-state table. For all
practical purposes your firewall keep-state rules are useless.

I was suspicious of that too, but if I remove the keep-state option from the allow rules, I get no return traffic. Replies from websites never make it back. So I assumed that the state was being recorded and used correctly.

Just with in the last few days an complete working example of ipfw +
natd + stateful rules was posted here for the archives

Search the questions archives for your answer.

Yes, I have been referring to that posting, but I'm struggling to see what (fundamentally) the poster has put in his ruleset that I have not. He has denied several IP addresses that should never send packets, and he has allowed some specific outbound traffic types, but it basically seems to be doing the same. Hence my desire to understand what I am clearly missing.


[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to