Date: Sun, 25 Feb 2001 19:10:36 +0100 From: Roelof Osinga <roelof@eboa.com> To: Duraid <latif2221@home.com> Cc: "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: netfilter in freebsd Message-ID: <3A994A9C.6E5542EA@eboa.com> References: <3A977CB1.7EF85F24@home.com> <20010224144734.A23735@daemon.kingsqueak.org> <3A982EE9.6BB6F1BE@eboa.com> <3A97EB10.BA8E0293@home.com> <3A9838E9.D96506BF@eboa.com> <3A98FB62.C9F8DE38@home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Duraid wrote:
>
> Not really.. after lot's of digging through.. there is a major difference
> between the two... ipfilter is a true statefull packet filter... that is it has
> a state table that can keep track of every packet that you send using the 'keep
> state' keyword. this way you can block anything that you didn't send. while ipfw
> has the 'established' option but it doesn't use state table (memory) but only
> decide upon seeing certain flags in the packet (ACT and maybe FIN) which anybody
> can fake and pierce your firewall.
From ipfw(8):
If the ruleset includes one or more rules with the keep-state
option,
then ipfw assumes a stateful behaviour, i.e. upon a match will
create dy-
namic rules matching the exact parameters (addresses and ports) of
the
matching packet.
These dynamic rules, which have a limited lifetime, are checked at
the
first occurrence of a check-state or keep-state rule, and are
typically
used to open the firewall on-demand to legitimate traffic only.
See the
RULE FORMAT and EXAMPLES sections below for more information on the
stateful behaviour of ipfw.
Maybe I'm missing something, but it sure looks like an in-memory
table to me.
Roelof
PS I'm looking at a 4.2 manpage here. The 3.4 and earlier have indeed
only the established option. Don't know about 3.5.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A994A9C.6E5542EA>