IPFW Problems
RW
list-freebsd-2004 at morbius.sent.com
Thu Apr 20 23:57:03 UTC 2006
On Thursday 20 April 2006 05:14, Andrew Pantyukhin wrote:
> On 4/20/06, Drew Tomlinson <drew at mykitchentable.net> wrote:
> > On 4/17/2006 2:29 PM Noah Silverman wrote:
> > > ipfw add 00280 allow tcp from any to any 22 out via bge0 setup
> > > keep-state ipfw add 00299 deny log all from any to any out via bge0
> > > ipfw add 0430 allow log tcp from any to me 22 in via bge0 setup limit
> > > src-addr 2
> >
> > I think this line is your problem. "setup" matches the initial packet
> > with the syn flag set. However since you have not added "keep-state",
> > no rule gets added to the dynamic rule set for this connection.
"limit" creates a dynamic rule, just like keep-state
> Yes. 'setup' is from "semi-stateful" firewall functionality while
> 'keep-state' is from fully stateful one. You can't use both in
> one rule without strange consequences. Just delete 'setup'
> words in both rules - it'll probably be fine.
Yes you can. When I used IPFW I did it that way and never had any problems.
All it's saying is that a dynamic rule can only be setup by the legitimate
first packet of a tcp handshake, and not by an out-of-sequence tcp packet.
Once the dynamic rule exists, it passes packets with any tcp flags.
More information about the freebsd-questions
mailing list