Trouble with IPFW or TCP?
Julian Elischer
julian at elischer.org
Fri Apr 4 00:21:36 UTC 2008
Ivan Voras wrote:
> Erik Trulsson wrote:
>> On Fri, Apr 04, 2008 at 01:34:07AM +0200, Ivan Voras wrote:
>>> In which case would an ipfw ruleset like this:
>>>
>>> 00100 114872026 40487887607 allow ip from any to any via lo0
>>> 00200 0 0 deny ip from any to 127.0.0.0/8
>>> 00300 0 0 deny ip from 127.0.0.0/8 to any
>>> 00600 1585 112576 deny ip from table(0) to me
>>> 01000 90279 7325972 allow icmp from any to any
>>> 05000 475961039 334422494257 allow tcp from me to any setup keep-state
>>> 05100 634155 65779377 allow udp from me to any keep-state
>>> 06022 409604 69177326 allow tcp from any to me dst-port 22
>>> setup keep-state
>>> 06080 52159025 43182548092 allow tcp from any to me dst-port 80
>>> setup keep-state
>>> 06443 6392366 2043532158 allow tcp from any to me dst-port 443
>>> setup keep-state
>>> 07020 517065 292377553 allow tcp from any to me dst-port 8080
>>> setup keep-state
>>> 65400 12273387 629703212 deny log ip from any to any
>>> 65535 0 0 deny ip from any to any
>>
>> If you are using 'keep-state' should there not also be some rule
>> containing
>> 'check-state' ?
>
> Not according to the ipfw(8) manual:
>
> """
> These dynamic rules, which have a limited lifetime, are checked at the
> first occurrence of a check-state, keep-state or limit rule, and
> are typ-
> ically used to open the firewall on-demand to legitimate traffic only.
> See the STATEFUL FIREWALL and EXAMPLES Sections below for more
> informa-
> tion on the stateful behaviour of ipfw.
> """
>
> I read this to mean the dynamic rules are checked at rule #5000 from the
> above list. Is there an advantage to having an explicit check-state rule
> in simple rulesets like this one?
the docs are wrong then I think.
>
>
More information about the freebsd-net
mailing list