Date: Tue, 15 Jun 2004 21:29:58 +0100 From: Robert Downes <nullentropy@lineone.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Firewall rules Message-ID: <40CF5C46.4040305@lineone.net> In-Reply-To: <MIEPLLIBMLEEABPDBIEGCEJFGCAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGCEJFGCAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
JJB wrote: >First indication is the hit count on the check-state rule. It's zero >which means there is never an match in the keep-state table. For all >practical purposes your firewall keep-state rules are useless. > > I was suspicious of that too, but if I remove the keep-state option from the allow rules, I get no return traffic. Replies from websites never make it back. So I assumed that the state was being recorded and used correctly. >Just with in the last few days an complete working example of ipfw + >natd + stateful rules was posted here for the archives > >Search the questions archives for your answer. > > Yes, I have been referring to that posting, but I'm struggling to see what (fundamentally) the poster has put in his ruleset that I have not. He has denied several IP addresses that should never send packets, and he has allowed some specific outbound traffic types, but it basically seems to be doing the same. Hence my desire to understand what I am clearly missing. -- Bob
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40CF5C46.4040305>