Date: Thu, 7 Jun 2001 15:32:09 -0500 (CDT) From: Josh Thomas <jdt2101@ksu.edu> To: Bill Moran <wmoran@iowna.com> Cc: freebsd-questions@freebsd.org Subject: Re: IPFW rules and outward connections Message-ID: <Pine.GSO.4.21L.0106071523270.15125-100000@unix1.cc.ksu.edu> In-Reply-To: <3B1FDEC6.DD592573@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
For awhile I was looking at check-state and keep-state for connections to keep open. However, maybe I'm a little confused here. Where check-state and keep-state will create a dynamic ruleset for allowing outward connections to keep a port on my local machine open for response packets from the remote machines ip and port for a limited amount of time, how does the 'established' ruleset differ significantly from this? From what I understand, 'established' will do the same thing? I think I may have been vague in my initial post. If I send a http request from some random high-up port, say 12000, has the connection with a remote host on 80 been established, and that port 12000 open for responses? And if that is true, does the established connection get lost after the same period of time (of network inactivity) that check-state and keep-state do? Again, please cc: responses. Josh Thomas Student Systems Analyst B On Thu, 7 Jun 2001, Bill Moran wrote: > Josh Thomas wrote: > > > > I am looking to set up a firewall to be closed to all incoming connections > > except for 20-22 (for ftp and ssh), and to allow all outward > > connections. However, I'm having trouble specifically keeping the > > dynamically assigned ports above 1024 for normal usage open. ie, http > > from other machines, ftp from other machines. Is there specifically a way > > to allow outgoing connections and then keep that port open for incoming > > connections for a short time? This seems to be somewhat the functionality > > of keep-state, however that does not appear to work. If anybody has any > > examples, I would appreciate them. Neither the freebsd handbook nor the > > ipfw manpage goes into enough detail as I needed. Please cc responses, as > > I am not on the freebsd-questions list. > > A rule like: > allow ip from any to any established > would allow anything that was already initiated to continue. Then you > could restrict what was able to be initiated. > > -Bill > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.21L.0106071523270.15125-100000>