Date: Fri, 29 Aug 2008 11:11:34 -0700 From: Christopher Cowart <ccowart@rescomp.berkeley.edu> To: Steve Bertrand <steve@ibctech.ca> Cc: questions@freebsd.org Subject: Re: IPFW: Is keep/check-state inherent? Message-ID: <20080829181134.GI25990@hal.rescomp.berkeley.edu> In-Reply-To: <48B83820.8040200@ibctech.ca> References: <48B83820.8040200@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--j+MD90OnwjQyWNYt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Steve Bertrand wrote: > I can't recall for certain, but not so long ago, I either read or heard= =20 > about IPFW having implicit keep-state and check-state. >=20 > Is it true that I can now omit these keywords in my rulesets? keep-state is not implicit. check-state is not generally necessary, because dynamic rules are applied at the very first occurrence of a stateful rule. I prefer to use keep-state for outbound traffic (something like allow all from me to any keep-state). For things with inbound connections, I prefer to not use state (allow tcp from any to me http; allow tcp from me http to any) in order to prevent remote hosts from using up all the dynamic rules. --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --j+MD90OnwjQyWNYt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) iQIcBAEBAwAGBQJIuDvVAAoJEIGh6j3cHUNP+tgP/iu4c1r2lH7fwcJrhPQOmT8J BygqyoQkhcFICaw93quenp7hLpdlbYJ/gnl2716D5oHTaoOPniSkOj/R4IyGtCr2 8giWZcuRV1K/ZHyXT5ifhRaS0BRUYIctOv7PGATCGGhv5aZUrPQ88M5A/Mthqy+/ QvtG8TYRMLAeZhU22NE371Zjte8Z2dJQvWlTpq/joxOgl1oG3HIplh26uacJ/zT4 421seKT06mxQUqBOpIQ2BiRfBo1HU6eSvcefjJBv1f3cWLbhQ3C56VjpkhbKEA6t EONcbFK1iHcZvhkMS2VI6W1KbBcQPL/FkyWQvJF5mQUYUG8LuCxSQuc3DXeJfzS1 Y81N9d4K7G9kQ0LmJft4Xl+j3wbgMpR3f8OuAnC1itme4GynS9og9cKvE5/ldDI4 27siZAQJoWML052jmBgnbcLaT88pwXDHJ5p2KQt46SDoBr2J5T/Ke84CvUiQLb1C 2EoiTNFlnhEgRGUQ9pBzE1BG460LLrrLtwUNUa84bWUYVjjzZJQ6EMvLvbOuE435 qbowj7BuJasjS8na0PH2znQ5HXysSAkTkvXcti7mIVpqaqlcrDfkR7BD3VBle8Vh N7lhVr7CW3kvZXZ0hzlzQHcj0/IWLxIZNyZer72AVgkSwryCGfmTBpYu/BCl/P+e KeB+Rd3TK6falFCoIar8 =y3lf -----END PGP SIGNATURE----- --j+MD90OnwjQyWNYt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080829181134.GI25990>