From owner-freebsd-ipfw Wed Jul 28 1:14:51 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id 2881414E91 for ; Wed, 28 Jul 1999 01:14:47 -0700 (PDT) (envelope-from Alain.Thivillon@hsc.fr) Received: from yoko.hsc.fr (yoko.hsc.fr [192.70.106.76]) by itesec.hsc.fr (Postfix) with ESMTP id 45AE910EAE; Wed, 28 Jul 1999 10:14:47 +0200 (CEST) Received: by yoko.hsc.fr (Postfix release-19990601, from userid 1001) id ED1F112FEE0; Wed, 28 Jul 1999 10:14:27 +0200 (CEST) Date: Wed, 28 Jul 1999 10:14:27 +0200 From: Alain Thivillon To: Scott Taylor Cc: freebsd-ipfw@freebsd.org Subject: Re: reflexive access lists? Message-ID: <19990728101427.E28741@yoko.hsc.fr> References: <379DED83.70D4B4BE@graphicexpress.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95.5i In-Reply-To: <379DED83.70D4B4BE@graphicexpress.net>; from Scott Taylor on Tue, Jul 27, 1999 at 11:33:55AM -0600 X-Organization: Herve Schauer Consultants Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Scott Taylor écrivait (wrote) : > One of the rules that I have in the access lists on my cisco routers > that I wish I could setup of my freebsd box are reflexive access lists. > I'd love to be able to allow packets that are replies to requests from > my machine be automatically allowed without allowing such a blanket ipfilter use "keep state" to store information about sessions and open up dynamically tcp, udp and even icmp 'reflexive' flow. If i want enable all outgoing connections from my box, and block everything else (warning, this will be a very bas setup if this box is a router): pass out quick on lo0 from any to any pass in quick on lo0 from any to any block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass out quick proto tcp from any to any keep state pass out quick proto udp from any to any keep state pass out quick proto icmp from any to any keep state block return-rst in log quick proto tcp from any to any block return-icmp(port-unr) in log quick proto udp from any to any block return-icmp(13) in log from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message