Date: Wed, 19 Mar 2003 15:19:51 -0800 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: IPFW - "keep-state/check-state" And "setup/established" Confusion Message-ID: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong>
next in thread | raw e-mail | index | archive | help
I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. I used the rule set at http://www.bsdtoday.com/2000/December/rc.firewall.current as an example but am confused regarding the differences between setting rules using "setup/established" and "keep-state/check-state". I've read the ipfw man page and understand that "setup/established" matches syn/ack bits in a packet where "keep-state/check-state" actually creates a dynamic rule. But not being real knowledgeable about how IP packets are constructed, I'm not sure what this means in the real world. If I understand it correctly, the example at BSDToday basically uses "setup/established" to allow traffic in for services that I allow. So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the rule set uses "keep-state/check-state" for connections originating from my internal network to the outside world. But why should I not use "keep-state/check-state" for everything by adding my check-state rule near the top and then adding the following rule for incoming services: ipfw add allow ip from any to $inwr 21,22,25,80 keep-state I've actually done this and it is working but I'd like to know if this is a good or bad idea and why. Thanks, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00d401c2ee6e$0abf07e0$6e2a6ba5>