Date: Wed, 6 Sep 2000 00:09:10 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Daryl Chance <dchance@valuedata.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: IPFW: keep-state Message-ID: <20000906000910.F69158@149.211.6.64.reflexcom.com> In-Reply-To: <001d01c01744$e38c1f80$0200000a@mike>; from dchance@valuedata.net on Tue, Sep 05, 2000 at 09:23:40AM -0500 References: <001d01c01744$e38c1f80$0200000a@mike>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 05, 2000 at 09:23:40AM -0500, Daryl Chance wrote:
> I'm looking to adding the keep-state options to my firewall
> rules. What are the recommended places to put the keep-state
> options at?
keep-state rules can be in a lot of different places. However, the
check-state rule should probably be towards the head of the list.
> I'm not quite sure what keep-state is, i've checked
> the man page and its not really helped much. Does it basically
> create, specific dynamic fw rules?
Yep.
> like:
>
> add allow tcp from any to any 21 keep-state
>
> does this become something like:
>
> allow tcp from 1.2.3.4 to 3.2.4.1 21
>
> ? Or am I totally off the mark.
The source port would also be included and the reverse connection is
also part of the dynamic rule,
allow tcp from 3.2.4.1 21 to 1.2.3.4 src_prt
What it is most useful for (but not the only use) is allowing the
reverse connection to an outgoing one. For example,
allow tcp from ${ipo} to any keep-state
Basically will allow a TCP connection (two way communication) when
initiated by the local machine.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000906000910.F69158>