Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Dec 2001 22:13:35 -0800 (PST)
From:      Vincent Chen <>
Subject:   stateful inspection
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

Dear all,

I need your help to implement stateful firewall. I am
using ipfw to filter packet and ipfilter to provide
NAT and redirect service. My firewall has the
following rules:

02500 check-state
02510 deny tcp from any to any established
03000 allow tcp from to any keep-state in
recv ed0 setup
03100 allow tcp from to any keep-state
out xmit tun0 setup is my private subnet is my DSL IP

When I open a TCP connection from inside, rule 3000
and 3100 will create 2 dynamic rules. Rule 3100 will
expire soon after some TCP connection is open,telnet
is am example. Dynamic rule created by rule 3000
remains, but the incoming packet deny by firewall due
to dynamic rule created by rule 3100 is missing. How
can I solve this problem?

BTW: I read articles in manual page and maillist
discussion. But still confused. During the connection
to be established, Do we have syn + ( syn + ack ) + (
syn + ack ), max. 660s to create a dynamic rule
successfully? After connection established, how much
time do we have to transmit data before dynamic rule
expire? Will this tcp session be kept alive if

Thanks for your help, I really like to have this
feature work.

Vincent Chen


Vincent Chen


Do You Yahoo!?
Send your FREE holiday greetings online!

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>