Re: IPFW: Is keep/check-state inherent?
Steve Bertrand wrote: Hi everyone, I can't recall for certain, but not so long ago, I either read or heard about IPFW having implicit keep-state and check-state. Is it true that I can now omit these keywords in my rulesets? Haven't used IPFW in years so I do not know about IPFW. However, this is the case for the lastest pf upgrade/import from OpenBSD. For pf now I think you need no state if you want to disable, as keep state is on by default now. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: IPFW: Is keep/check-state inherent?
Steve Bertrand wrote: I can't recall for certain, but not so long ago, I either read or heard about IPFW having implicit keep-state and check-state. Is it true that I can now omit these keywords in my rulesets? keep-state is not implicit. check-state is not generally necessary, because dynamic rules are applied at the very first occurrence of a stateful rule. I prefer to use keep-state for outbound traffic (something like allow all from me to any keep-state). For things with inbound connections, I prefer to not use state (allow tcp from any to me http; allow tcp from me http to any) in order to prevent remote hosts from using up all the dynamic rules. -- Chris Cowart Network Technical Lead Network Infrastructure Services, RSSP-IT UC Berkeley pgpYl9ZeObsvH.pgp Description: PGP signature