input on ipfw rules

Giorgos Keramidas keramida at
Sat Apr 5 19:44:35 PST 2003

On 2003-04-05 21:49, Robin Ericsson <lobbin at> wrote:
> I would like to get some input of these rules I'm currenly using.

> I come from a linux/cisco background, so I want to know how bad these
> are :) mostly my questions are the keep-state stuff. I guess 00235 can
> go, as I think that one allows all trafic from that specific ip if
> already connected elsewhere?


> ipfw add 00230 check-state
> ipfw add 00235 allow tcp from any to any in established

You don't need both of these...  The 'established' one can safely go
away if you make it a habbit of writing rules with 'keep-state' as shown

> # ssh
> ipfw add 00700 allow tcp from any to me 22 keep-state

- Giorgos

More information about the freebsd-questions mailing list