Date: Wed, 6 Sep 2000 00:09:10 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Daryl Chance <dchance@valuedata.net> Cc: FreeBSD Questions <questions@FreeBSD.ORG> Subject: Re: IPFW: keep-state Message-ID: <20000906000910.F69158@149.211.6.64.reflexcom.com> In-Reply-To: <001d01c01744$e38c1f80$0200000a@mike>; from dchance@valuedata.net on Tue, Sep 05, 2000 at 09:23:40AM -0500 References: <001d01c01744$e38c1f80$0200000a@mike>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 05, 2000 at 09:23:40AM -0500, Daryl Chance wrote: > I'm looking to adding the keep-state options to my firewall > rules. What are the recommended places to put the keep-state > options at? keep-state rules can be in a lot of different places. However, the check-state rule should probably be towards the head of the list. > I'm not quite sure what keep-state is, i've checked > the man page and its not really helped much. Does it basically > create, specific dynamic fw rules? Yep. > like: > > add allow tcp from any to any 21 keep-state > > does this become something like: > > allow tcp from 1.2.3.4 to 3.2.4.1 21 > > ? Or am I totally off the mark. The source port would also be included and the reverse connection is also part of the dynamic rule, allow tcp from 3.2.4.1 21 to 1.2.3.4 src_prt What it is most useful for (but not the only use) is allowing the reverse connection to an outgoing one. For example, allow tcp from ${ipo} to any keep-state Basically will allow a TCP connection (two way communication) when initiated by the local machine. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000906000910.F69158>