From owner-freebsd-net@FreeBSD.ORG Fri Apr 4 08:52:13 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A22DE1065674 for ; Fri, 4 Apr 2008 08:52:13 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) by mx1.freebsd.org (Postfix) with ESMTP id 2BA3F8FC28 for ; Fri, 4 Apr 2008 08:52:12 +0000 (UTC) (envelope-from freebsd-net@m.gmane.org) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1JhheW-0006bn-64 for freebsd-net@freebsd.org; Fri, 04 Apr 2008 08:52:04 +0000 Received: from lara.cc.fer.hr ([161.53.72.113]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Apr 2008 08:52:04 +0000 Received: from ivoras by lara.cc.fer.hr with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 04 Apr 2008 08:52:04 +0000 X-Injected-Via-Gmane: http://gmane.org/ To: freebsd-net@freebsd.org From: Ivan Voras Date: Fri, 04 Apr 2008 10:51:47 +0200 Lines: 56 Message-ID: References: <20080403234059.GA53417@owl.midgard.homeip.net> <47F5748F.9050207@elischer.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig856CFB6FE3BCEC37C20C2631" X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lara.cc.fer.hr User-Agent: Thunderbird 2.0.0.6 (X11/20071022) In-Reply-To: <47F5748F.9050207@elischer.org> X-Enigmail-Version: 0.95.0 Sender: news Subject: Re: Trouble with IPFW or TCP? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Apr 2008 08:52:13 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig856CFB6FE3BCEC37C20C2631 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Julian Elischer wrote: > Ivan Voras wrote: >> Not according to the ipfw(8) manual: >> >> """ >> These dynamic rules, which have a limited lifetime, are checked >> at the >> first occurrence of a check-state, keep-state or limit rule, and >> are typ- >> ically used to open the firewall on-demand to legitimate traffic >> only. >> See the STATEFUL FIREWALL and EXAMPLES Sections below for more >> informa- >> tion on the stateful behaviour of ipfw. >> """ >> >> I read this to mean the dynamic rules are checked at rule #5000 from >> the above list. Is there an advantage to having an explicit >> check-state rule in simple rulesets like this one? >=20 > the docs are wrong then I think. Ok, but: - The connections work. If keep-states don't include implicit check-state somewhere, the behaviour should be as if there's no "keep-state" option to the rules, i.e. only the "setup" (syn,!ack) packet would pass, which would prevent TCP connections to happen (from experience I know that omitting keep-state works just like that). - The same behaviour works on other machines (no explicit check-state) ranging from 5.x to 7-STABLE. - I've been using ipfw this way since FreeBSD 4.4 or something like that, without described problems. The other machine with 7.x also doesn't have check-state and works. --------------enig856CFB6FE3BCEC37C20C2631 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9ewpldnAQVacBcgRAiJfAKCZu43WCHtWPJavBNz/rD8ay+BFQgCglJSw 63DXqyAP9Cph4ZfYHbr0Pso= =DHsL -----END PGP SIGNATURE----- --------------enig856CFB6FE3BCEC37C20C2631--