list-freebsd-2004 at morbius.sent.com
Tue Apr 18 01:43:35 UTC 2006
On Tuesday 18 April 2006 00:42, Chuck Swiger wrote:
> David Wolfskill wrote:
> > I thought check-state was fairly optional; ref:
> > These dynamic rules, which have a limited lifetime, are checked at
> > the first occurrence of a check-state, keep-state or limit rule, and are
> > typ- ically used to open the firewall on-demand to legitimate traffic
> > only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more
> > informa- tion on the stateful behaviour of ipfw.
> > (from "man ipfw" on a 4.11 system).
> Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state"
> isn't going to match inbound established traffic, right?
But the man page doesn't say *matching* rule, it says: " the first occurrence
of a check-state, keep-state or limit rule". It is pretty vague though.
The inference I take from this is that check-state mostly exists so you can
force an early, fast hash-table lookup.
More information about the freebsd-questions