Date: Thu, 25 Jul 2002 12:53:46 +0200 From: "Jo B. Grasmo" <needle+ipfw@verloid.net> To: ipfw@freebsd.org Subject: IPFW2 Message-ID: <20020725125346.A8987@dustpuppy.world-online.no>
next in thread | raw e-mail | index | archive | help
Hello, I upgraded to the latest -stable yesterday to check out ipfw2, and it loaded my ruleset perfectly, so 2 thumbs up so far. Given the extremely simple (and useless, I know) ruleset: # ipfw -at list 01000 0 0 check-state 01010 8 848 Thu Jul 25 12:43:43 2002 deny tcp from any to any established 01020 5862 587140 Thu Jul 25 12:43:58 2002 allow tcp from any to any setup keep-state 65535 17407 2155622 Thu Jul 25 12:43:07 2002 deny ip from any to any IPFW1 used to list connections matching dynamic rules explicitly. Has that functionality been removed or just hasn't it been implemented yet? On a side-note, I've never seen "check-state" counters increment. Shouldn't they? The rule obviously works, because if I remove it all connections die. IPFW1 also rewrote rules like this: ipfw add 2000 allow tcp from any to 10.1.1.1 22 in via xl0 setup keep-state into this: 02000 allow tcp from any to 10.1.1.1 22 keep-state in recv xl0 setup IPFW2 doesn't, which broke my scripts. One final question, when can we see IPFW2 as a kernel module? :-) Regards, Jo B. Grasmo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020725125346.A8987>