Configuring IPFW

Conrad J. Sabatier conrads at
Sat Oct 22 17:09:09 UTC 2011

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel <carmel_ny at> wrote:

> I am attempting to set up a firewall using IPFW with a stateful
> behavior.
> While I have investigated how to set up these rules, I have run into
> conflicting opinions as to whether to all or deny "established"
> behavior.
> EXAMPLE: (preceded by a "checkstate" rule)
> allow tcp from any to any established
> Some documentation states that it should be denied and others say it
> should be allowed. Neither has given me a convincing reason to follow
> either scenario or any real documentation either for that fact.
> If possible, could someone with some real firewall knowledge and
> familiarity with IPFW please give me some advice.
> Thanks!

Well, assuming that you're only allowing the connections you actually
want to be be established to be setup in the first place, then the
logical thing is to then allow any already established connections.

All of your tcp "allow" rules should include the setup keyword, as well
as keep-state.  This way, only connections that are doing a first-time
setup will be allowed, and their state will be remembered, for later
checking using the check-state keyword.

In other words, create setup/keep-state rules for all tcp connections
you want to allow, and deny the rest.  Just be sure the check-state and
established rules precede the deny rules.

Similarly, for udp rules, be sure to include the keep-state (but not
setup) keyword.

Hope this makes sense.  :-)

Conrad J. Sabatier
conrads at

More information about the freebsd-questions mailing list