Dynamic rules & stats
J.T. Davies
jtd at hostthecoast.org
Sat Sep 18 21:02:40 PDT 2004
Please someone smack me around and correct me if I'm mistaken.
I'm using 5.1 Release p13
I've got IPFW2 enabled. Stateless & stateful rules are working correctly.
I'm trying to incorporate/"upgrade" to dynamic rulesets, but I'm confused.
I've got the following rules:
1000 check-state
2000 allow tcp from any 1024-65535 to mysvrIP 25,110 in via outsideinterface
setup keep-state
Now, when I check mail from an outside client (mail transfer is successful),
and then I do IPFW SHOW, the traffic counters for rule 2000 are ever
increasing, but 1000 stays at 0. Every mail transfer (whether POP3 or SMTP)
increments 2000, but never 1000.
Is this correct? I *thought* that this should work somewhat like the
"setup" and the "established" methods of a stateful firewall configuration.
If I remark rule 1000...traffic still passes through.
Oh, I also do see dynamic rules being created/expired by running 'ipfw -d -e
list'
Ideas? Currently, it seems the rules are working, but the "0" for rule 1000
bothers me. Should I be bothered?
Thanks all!
J.T.
More information about the freebsd-ipfw
mailing list