input on ipfw rules
Giorgos Keramidas
keramida at ceid.upatras.gr
Sat Apr 5 19:44:35 PST 2003
On 2003-04-05 21:49, Robin Ericsson <lobbin at localhost.nu> wrote:
>
> I would like to get some input of these rules I'm currenly using.
>
> I come from a linux/cisco background, so I want to know how bad these
> are :) mostly my questions are the keep-state stuff. I guess 00235 can
> go, as I think that one allows all trafic from that specific ip if
> already connected elsewhere?
True.
> ipfw add 00230 check-state
> ipfw add 00235 allow tcp from any to any in established
You don't need both of these... The 'established' one can safely go
away if you make it a habbit of writing rules with 'keep-state' as shown
below:
> # ssh
> ipfw add 00700 allow tcp from any to me 22 keep-state
- Giorgos
More information about the freebsd-questions
mailing list