From owner-freebsd-questions Wed Mar 19 15:19:55 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 63DEC37B401 for ; Wed, 19 Mar 2003 15:19:54 -0800 (PST) Received: from blacklamb.mykitchentable.net (207-173-254-106.bras01.elk.ca.frontiernet.net [207.173.254.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 06C1F43F93 for ; Wed, 19 Mar 2003 15:19:52 -0800 (PST) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id 4CC75EE53D for ; Wed, 19 Mar 2003 15:19:51 -0800 (PST) Message-ID: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> From: "Drew Tomlinson" To: "FreeBSD Questions" Subject: IPFW - "keep-state/check-state" And "setup/established" Confusion Date: Wed, 19 Mar 2003 15:19:51 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. I used the rule set at http://www.bsdtoday.com/2000/December/rc.firewall.current as an example but am confused regarding the differences between setting rules using "setup/established" and "keep-state/check-state". I've read the ipfw man page and understand that "setup/established" matches syn/ack bits in a packet where "keep-state/check-state" actually creates a dynamic rule. But not being real knowledgeable about how IP packets are constructed, I'm not sure what this means in the real world. If I understand it correctly, the example at BSDToday basically uses "setup/established" to allow traffic in for services that I allow. So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the rule set uses "keep-state/check-state" for connections originating from my internal network to the outside world. But why should I not use "keep-state/check-state" for everything by adding my check-state rule near the top and then adding the following rule for incoming services: ipfw add allow ip from any to $inwr 21,22,25,80 keep-state I've actually done this and it is working but I'd like to know if this is a good or bad idea and why. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message