Date: Thu, 16 Nov 2017 11:30:09 -0800 From: javocado <javocado@gmail.com> To: freebsd-questions@freebsd.org Subject: ipfw setup keyword - with and without ... Message-ID: <CAP1HOmTB17X-Oh6KsNZgZOHOnztmh9KT5OFjmSkTR-ah8Dr7JQ@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Here are two simple rulesets: Code: 10 allow tcp from any to any established 20 allow tcp from any to any 22 65535 deny ip from any to any OR: Code: 10 allow tcp from any to any established 20 allow tcp from any to any 22 setup 65535 deny ip from any to any The difference is that the second ruleset has 'setup' modifying the rule that lets in the traffic we want. >From what I can tell, in actual day to day use, these two rulesets behave identically. Am I correct: I *think* the difference between these is that the second ruleset (with 'setup') is slightly stricter because TCP *fragments* that are not part of any connection would be allowed through the first ruleset, but would be blocked by the second ruleset. Because only a TCP fragment would be *neither* part of connection setup *nor* part of an established connection. Is that correct ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAP1HOmTB17X-Oh6KsNZgZOHOnztmh9KT5OFjmSkTR-ah8Dr7JQ>