From owner-freebsd-questions@FreeBSD.ORG Fri Aug 29 18:11:34 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9374C10656EF for ; Fri, 29 Aug 2008 18:11:34 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 7A1D28FC0A for ; Fri, 29 Aug 2008 18:11:34 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 294B93C04FD; Fri, 29 Aug 2008 11:11:34 -0700 (PDT) Date: Fri, 29 Aug 2008 11:11:34 -0700 From: Christopher Cowart To: Steve Bertrand Message-ID: <20080829181134.GI25990@hal.rescomp.berkeley.edu> Mail-Followup-To: Steve Bertrand , questions@freebsd.org References: <48B83820.8040200@ibctech.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-ripemd160; protocol="application/pgp-signature"; boundary="j+MD90OnwjQyWNYt" Content-Disposition: inline In-Reply-To: <48B83820.8040200@ibctech.ca> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: questions@freebsd.org Subject: Re: IPFW: Is keep/check-state inherent? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2008 18:11:34 -0000 --j+MD90OnwjQyWNYt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steve Bertrand wrote: > I can't recall for certain, but not so long ago, I either read or heard= =20 > about IPFW having implicit keep-state and check-state. >=20 > Is it true that I can now omit these keywords in my rulesets? keep-state is not implicit. check-state is not generally necessary, because dynamic rules are applied at the very first occurrence of a stateful rule. I prefer to use keep-state for outbound traffic (something like allow all from me to any keep-state). For things with inbound connections, I prefer to not use state (allow tcp from any to me http; allow tcp from me http to any) in order to prevent remote hosts from using up all the dynamic rules. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --j+MD90OnwjQyWNYt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIuDvVAAoJEIGh6j3cHUNP+tgP/iu4c1r2lH7fwcJrhPQOmT8J BygqyoQkhcFICaw93quenp7hLpdlbYJ/gnl2716D5oHTaoOPniSkOj/R4IyGtCr2 8giWZcuRV1K/ZHyXT5ifhRaS0BRUYIctOv7PGATCGGhv5aZUrPQ88M5A/Mthqy+/ QvtG8TYRMLAeZhU22NE371Zjte8Z2dJQvWlTpq/joxOgl1oG3HIplh26uacJ/zT4 421seKT06mxQUqBOpIQ2BiRfBo1HU6eSvcefjJBv1f3cWLbhQ3C56VjpkhbKEA6t EONcbFK1iHcZvhkMS2VI6W1KbBcQPL/FkyWQvJF5mQUYUG8LuCxSQuc3DXeJfzS1 Y81N9d4K7G9kQ0LmJft4Xl+j3wbgMpR3f8OuAnC1itme4GynS9og9cKvE5/ldDI4 27siZAQJoWML052jmBgnbcLaT88pwXDHJ5p2KQt46SDoBr2J5T/Ke84CvUiQLb1C 2EoiTNFlnhEgRGUQ9pBzE1BG460LLrrLtwUNUa84bWUYVjjzZJQ6EMvLvbOuE435 qbowj7BuJasjS8na0PH2znQ5HXysSAkTkvXcti7mIVpqaqlcrDfkR7BD3VBle8Vh N7lhVr7CW3kvZXZ0hzlzQHcj0/IWLxIZNyZer72AVgkSwryCGfmTBpYu/BCl/P+e KeB+Rd3TK6falFCoIar8 =y3lf -----END PGP SIGNATURE----- --j+MD90OnwjQyWNYt--