From owner-freebsd-net@FreeBSD.ORG Thu Apr 3 23:52:34 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C66E1065671 for ; Thu, 3 Apr 2008 23:52:34 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 892CF8FC1C for ; Thu, 3 Apr 2008 23:52:33 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JhZEK-0001rc-G3 for freebsd-net@freebsd.org; Thu, 03 Apr 2008 23:52:28 +0000 Received: from 78-0-69-170.adsl.net.t-com.hr ([78.0.69.170]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 03 Apr 2008 23:52:28 +0000 Received: from ivoras by 78-0-69-170.adsl.net.t-com.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 03 Apr 2008 23:52:28 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Ivan Voras Date: Fri, 04 Apr 2008 01:52:17 +0200 Lines: 73 Message-ID: References: <20080403234059.GA53417@owl.midgard.homeip.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigF880E0CA1C628C10ADC94C29" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 78-0-69-170.adsl.net.t-com.hr User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) In-Reply-To: <20080403234059.GA53417@owl.midgard.homeip.net> X-Enigmail-Version: 0.95.6 Sender: news Subject: Re: Trouble with IPFW or TCP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2008 23:52:34 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigF880E0CA1C628C10ADC94C29 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Erik Trulsson wrote: > On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: >> In which case would an ipfw ruleset like this: >> >> 00100 114872026 40487887607 allow ip from any to any via lo0 >> 00200 0 0 deny ip from any to 127.0.0.0/8 >> 00300 0 0 deny ip from 127.0.0.0/8 to any >> 00600 1585 112576 deny ip from table(0) to me >> 01000 90279 7325972 allow icmp from any to any >> 05000 475961039 334422494257 allow tcp from me to any setup keep-state= >> 05100 634155 65779377 allow udp from me to any keep-state >> 06022 409604 69177326 allow tcp from any to me dst-port 22 setu= p=20 >> keep-state >> 06080 52159025 43182548092 allow tcp from any to me dst-port 80 setu= p=20 >> keep-state >> 06443 6392366 2043532158 allow tcp from any to me dst-port 443 set= up=20 >> keep-state >> 07020 517065 292377553 allow tcp from any to me dst-port 8080 se= tup=20 >> keep-state >> 65400 12273387 629703212 deny log ip from any to any >> 65535 0 0 deny ip from any to any >=20 > If you are using 'keep-state' should there not also be some rule contai= ning > 'check-state' ? Not according to the ipfw(8) manual: """ These dynamic rules, which have a limited lifetime, are checked at = the first occurrence of a check-state, keep-state or limit rule, and=20 are typ- ically used to open the firewall on-demand to legitimate traffic on= ly. See the STATEFUL FIREWALL and EXAMPLES Sections below for more=20 informa- tion on the stateful behaviour of ipfw. """ I read this to mean the dynamic rules are checked at rule #5000 from the = above list. Is there an advantage to having an explicit check-state rule = in simple rulesets like this one? --------------enigF880E0CA1C628C10ADC94C29 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH9W2xldnAQVacBcgRAjBJAKDabcurfBDVJOTfpscs4EDJ81r5VgCfc8LD jC+ufoPOHjpxuExmy7syXjE= =X4TR -----END PGP SIGNATURE----- --------------enigF880E0CA1C628C10ADC94C29--