Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 03 Apr 2008 17:21:35 -0700
From:      Julian Elischer <julian@elischer.org>
To:        Ivan Voras <ivoras@freebsd.org>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Trouble with IPFW or TCP?
Message-ID:  <47F5748F.9050207@elischer.org>
In-Reply-To: <ft3qji$cr9$1@ger.gmane.org>
References:  <ft3phn$ai3$1@ger.gmane.org>	<20080403234059.GA53417@owl.midgard.homeip.net> <ft3qji$cr9$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ivan Voras wrote:
> Erik Trulsson wrote:
>> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
>>> In which case would an ipfw ruleset like this:
>>>
>>> 00100 114872026  40487887607 allow ip from any to any via lo0
>>> 00200         0            0 deny ip from any to 127.0.0.0/8
>>> 00300         0            0 deny ip from 127.0.0.0/8 to any
>>> 00600      1585       112576 deny ip from table(0) to me
>>> 01000     90279      7325972 allow icmp from any to any
>>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state
>>> 05100    634155     65779377 allow udp from me to any keep-state
>>> 06022    409604     69177326 allow tcp from any to me dst-port 22 
>>> setup keep-state
>>> 06080  52159025  43182548092 allow tcp from any to me dst-port 80 
>>> setup keep-state
>>> 06443   6392366   2043532158 allow tcp from any to me dst-port 443 
>>> setup keep-state
>>> 07020    517065    292377553 allow tcp from any to me dst-port 8080 
>>> setup keep-state
>>> 65400  12273387    629703212 deny log ip from any to any
>>> 65535         0            0 deny ip from any to any
>>
>> If you are using 'keep-state' should there not also be some rule 
>> containing
>> 'check-state' ?
> 
> Not according to the ipfw(8) manual:
> 
> """
>      These dynamic rules, which have a limited lifetime, are checked at the
>      first occurrence of a check-state, keep-state or limit rule, and 
> are typ-
>      ically used to open the firewall on-demand to legitimate traffic only.
>      See the STATEFUL FIREWALL and EXAMPLES Sections below for more 
> informa-
>      tion on the stateful behaviour of ipfw.
> """
> 
> I read this to mean the dynamic rules are checked at rule #5000 from the 
> above list. Is there an advantage to having an explicit check-state rule 
> in simple rulesets like this one?

the docs are wrong then I think.

> 
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47F5748F.9050207>