Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jul 2007 11:26:10 -0500
From:      Martin McCormick <>
Subject:   Please Help with Confusion about ipfw rules. Solved.
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help
"fbsd2" writes:
> I use the sample ipfw rules with keep state as shown in the handbook

they do work fine. They just aren't meant for the kind of load
they were under. I needed to know how to get the same
functionality by other means.

	If you use the keep-state directive, high traffic can
basically kill ipfw by running it out of dynamic rule space.

> People on this list don't have ESP so they can't read your mind about what
> rules you have coded.

But they can read down to where it says:

>         ${fwcmd} add pass all from any to ${ip} 53
> and
>         ${fwcmd} add pass all from ${ip} to any 53

It turns out that I didn't catch on to the need for supporting
the reply traffic that each of those two rules generate. This
stateless set of rules solved the problem and does not use up
dynamic rule space.

${fwcmd} add  allow ip from any to ${ip} dst-port 53
${fwcmd} add  allow ip from ${ip} 53 to any // allow reply traffic
${fwcmd} add  allow ip from ${ip} to any dst-port 53
${fwcmd} add  allow ip from any 53 to ${ip} // allow reply traffic

Want to link to this message? Use this URL: <>