Trouble with IPFW or TCP?
Ivan Voras
ivoras at freebsd.org
Fri Apr 4 08:52:13 UTC 2008
Julian Elischer wrote:
> Ivan Voras wrote:
>> Not according to the ipfw(8) manual:
>>
>> """
>> These dynamic rules, which have a limited lifetime, are checked
>> at the
>> first occurrence of a check-state, keep-state or limit rule, and
>> are typ-
>> ically used to open the firewall on-demand to legitimate traffic
>> only.
>> See the STATEFUL FIREWALL and EXAMPLES Sections below for more
>> informa-
>> tion on the stateful behaviour of ipfw.
>> """
>>
>> I read this to mean the dynamic rules are checked at rule #5000 from
>> the above list. Is there an advantage to having an explicit
>> check-state rule in simple rulesets like this one?
>
> the docs are wrong then I think.
Ok, but:
- The connections work. If keep-states don't include implicit
check-state somewhere, the behaviour should be as if there's no
"keep-state" option to the rules, i.e. only the "setup" (syn,!ack)
packet would pass, which would prevent TCP connections to happen (from
experience I know that omitting keep-state works just like that).
- The same behaviour works on other machines (no explicit check-state)
ranging from 5.x to 7-STABLE.
- I've been using ipfw this way since FreeBSD 4.4 or something like
that, without described problems. The other machine with 7.x also
doesn't have check-state and works.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080404/92a7e24e/signature.pgp
More information about the freebsd-net
mailing list