When to use setup keyword?
Marcin Gryszkalis
mg at fork.pl
Sat Oct 4 10:06:17 PDT 2003
On 2003-10-04 18:02, Roderick van Domburg wrote:
> I was pondering if blindly trailing every tcp rule with the 'setup' keyword
> would incur any performance loss or security hazard.
> allow tcp from any to {$ip} dst-port 80 setup
> All services run just fine, but I was thinking that excluding 'setup' here
> and there would make for a cleaner solution? For example, I don't think that
> HTTP (even 1.1) requires the setup keyword does it?
Please refer to ipfw manual *and* some TCP/IP reference.
ipfw is TCP/IP level firewall, while HTTP is application level
protocol (higher). ipfw knows nothing about HTTP.
man ipfw says:
setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of ``tcpflags syn,!ack''.
to make it work you must have also, the rule similar to following:
allow tcp from any to any established
You can try alternative approach - use 'stateful firewall' features
of ipfw instead of setup/established pair (refer to ipfw man, tutorials, etc.)
regards
--
Marcin Gryszkalis
jabber jid:mg at chrome.pl
gg:2532994
http://fork.pl
More information about the freebsd-ipfw
mailing list