From owner-freebsd-net@FreeBSD.ORG Fri Apr 4 00:21:36 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 71FED1065673 for ; Fri, 4 Apr 2008 00:21:36 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outo.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id 4A8528FC20 for ; Fri, 4 Apr 2008 00:21:36 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Thu, 03 Apr 2008 17:30:09 -0700 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 9D80D2D6088; Thu, 3 Apr 2008 17:21:33 -0700 (PDT) Message-ID: <47F5748F.9050207@elischer.org> Date: Thu, 03 Apr 2008 17:21:35 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: Ivan Voras References: <20080403234059.GA53417@owl.midgard.homeip.net> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Trouble with IPFW or TCP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2008 00:21:36 -0000 Ivan Voras wrote: > Erik Trulsson wrote: >> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote: >>> In which case would an ipfw ruleset like this: >>> >>> 00100 114872026 40487887607 allow ip from any to any via lo0 >>> 00200 0 0 deny ip from any to 127.0.0.0/8 >>> 00300 0 0 deny ip from 127.0.0.0/8 to any >>> 00600 1585 112576 deny ip from table(0) to me >>> 01000 90279 7325972 allow icmp from any to any >>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state >>> 05100 634155 65779377 allow udp from me to any keep-state >>> 06022 409604 69177326 allow tcp from any to me dst-port 22 >>> setup keep-state >>> 06080 52159025 43182548092 allow tcp from any to me dst-port 80 >>> setup keep-state >>> 06443 6392366 2043532158 allow tcp from any to me dst-port 443 >>> setup keep-state >>> 07020 517065 292377553 allow tcp from any to me dst-port 8080 >>> setup keep-state >>> 65400 12273387 629703212 deny log ip from any to any >>> 65535 0 0 deny ip from any to any >> >> If you are using 'keep-state' should there not also be some rule >> containing >> 'check-state' ? > > Not according to the ipfw(8) manual: > > """ > These dynamic rules, which have a limited lifetime, are checked at the > first occurrence of a check-state, keep-state or limit rule, and > are typ- > ically used to open the firewall on-demand to legitimate traffic only. > See the STATEFUL FIREWALL and EXAMPLES Sections below for more > informa- > tion on the stateful behaviour of ipfw. > """ > > I read this to mean the dynamic rules are checked at rule #5000 from the > above list. Is there an advantage to having an explicit check-state rule > in simple rulesets like this one? the docs are wrong then I think. > >