Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 04 Apr 2008 01:52:17 +0200
From:      Ivan Voras <ivoras@freebsd.org>
To:        freebsd-net@freebsd.org
Subject:   Re: Trouble with IPFW or TCP?
Message-ID:  <ft3qji$cr9$1@ger.gmane.org>
In-Reply-To: <20080403234059.GA53417@owl.midgard.homeip.net>
References:  <ft3phn$ai3$1@ger.gmane.org> <20080403234059.GA53417@owl.midgard.homeip.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF880E0CA1C628C10ADC94C29
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Erik Trulsson wrote:
> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
>> In which case would an ipfw ruleset like this:
>>
>> 00100 114872026  40487887607 allow ip from any to any via lo0
>> 00200         0            0 deny ip from any to 127.0.0.0/8
>> 00300         0            0 deny ip from 127.0.0.0/8 to any
>> 00600      1585       112576 deny ip from table(0) to me
>> 01000     90279      7325972 allow icmp from any to any
>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state=

>> 05100    634155     65779377 allow udp from me to any keep-state
>> 06022    409604     69177326 allow tcp from any to me dst-port 22 setu=
p=20
>> keep-state
>> 06080  52159025  43182548092 allow tcp from any to me dst-port 80 setu=
p=20
>> keep-state
>> 06443   6392366   2043532158 allow tcp from any to me dst-port 443 set=
up=20
>> keep-state
>> 07020    517065    292377553 allow tcp from any to me dst-port 8080 se=
tup=20
>> keep-state
>> 65400  12273387    629703212 deny log ip from any to any
>> 65535         0            0 deny ip from any to any
>=20
> If you are using 'keep-state' should there not also be some rule contai=
ning
> 'check-state' ?

Not according to the ipfw(8) manual:

"""
      These dynamic rules, which have a limited lifetime, are checked at =
the
      first occurrence of a check-state, keep-state or limit rule, and=20
are typ-
      ically used to open the firewall on-demand to legitimate traffic on=
ly.
      See the STATEFUL FIREWALL and EXAMPLES Sections below for more=20
informa-
      tion on the stateful behaviour of ipfw.
"""

I read this to mean the dynamic rules are checked at rule #5000 from the =

above list. Is there an advantage to having an explicit check-state rule =

in simple rulesets like this one?



--------------enigF880E0CA1C628C10ADC94C29
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH9W2xldnAQVacBcgRAjBJAKDabcurfBDVJOTfpscs4EDJ81r5VgCfc8LD
jC+ufoPOHjpxuExmy7syXjE=
=X4TR
-----END PGP SIGNATURE-----

--------------enigF880E0CA1C628C10ADC94C29--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ft3qji$cr9$1>