Dynamic rules & stats
Thomas Wolf
tw at wsf.at
Sun Sep 19 23:25:23 PDT 2004
"J.T. Davies" <jtd at hostthecoast.org> schrieb:
> Please someone smack me around and correct me if I'm mistaken.
>
> I'm using 5.1 Release p13
>
> I've got IPFW2 enabled. Stateless & stateful rules are working correctly.
> I'm trying to incorporate/"upgrade" to dynamic rulesets, but I'm confused.
>
> I've got the following rules:
>
> 1000 check-state
> 2000 allow tcp from any 1024-65535 to mysvrIP 25,110 in via outsideinterface
> setup keep-state
>
>
> Now, when I check mail from an outside client (mail transfer is successful),
> and then I do IPFW SHOW, the traffic counters for rule 2000 are ever
> increasing, but 1000 stays at 0. Every mail transfer (whether POP3 or SMTP)
> increments 2000, but never 1000.
>
> Is this correct? I *thought* that this should work somewhat like the
> "setup" and the "established" methods of a stateful firewall configuration.
No need to worry. For dynamic rules, it's always the parent rule
(which 'created' the dynamic one) where the counters are
incremented (in your setup 2000)
> If I remark rule 1000...traffic still passes through.
"If no check-state rule is found, the dynamic ruleset is checked
at the first keep-state or limit rule." (man ipfw)
Thomas
--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4
More information about the freebsd-ipfw
mailing list