From owner-freebsd-questions  Thu Jun  7 13: 8:43 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.the-i-pa.com (mail.the-i-pa.com [151.201.71.132])
	by hub.freebsd.org (Postfix) with SMTP id 8958D37B401
	for <freebsd-questions@freebsd.org>; Thu,  7 Jun 2001 13:08:39 -0700 (PDT)
	(envelope-from wmoran@iowna.com)
Received: (qmail 7849 invoked from network); 7 Jun 2001 20:17:02 -0000
Received: from unknown (HELO iowna.com) (151.201.71.193)
  by mail.the-i-pa.com with SMTP; 7 Jun 2001 20:17:02 -0000
Message-ID: <3B1FDEC6.DD592573@iowna.com>
Date: Thu, 07 Jun 2001 16:06:30 -0400
From: Bill Moran <wmoran@iowna.com>
X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Josh Thomas <jdt2101@ksu.edu>
Cc: freebsd-questions@freebsd.org
Subject: Re: IPFW rules and outward connections
References: <Pine.GSO.4.21L.0106071358560.1095-100000@unix1.cc.ksu.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Josh Thomas wrote:
> 
> I am looking to set up a firewall to be closed to all incoming connections
> except for 20-22 (for ftp and ssh), and to allow all outward
> connections.  However, I'm having trouble specifically keeping the
> dynamically assigned ports above 1024 for normal usage open.  ie, http
> from other machines, ftp from other machines.  Is there specifically a way
> to allow outgoing connections and then keep that port open for incoming
> connections for a short time?  This seems to be somewhat the functionality
> of keep-state, however that does not appear to work.  If anybody has any
> examples, I would appreciate them.  Neither the freebsd handbook nor the
> ipfw manpage goes into enough detail as I needed.  Please cc responses, as
> I am not on the freebsd-questions list.

A rule like:
allow ip from any to any established
would allow anything that was already initiated to continue. Then you
could restrict what was able to be initiated.

-Bill

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message