Configuring IPFW
Michael Sierchio
kudzu at tenebras.com
Sat Oct 22 17:09:54 UTC 2011
On Sat, Oct 22, 2011 at 9:54 AM, RW <rwmaillists at googlemail.com> wrote:
> Normally if the rules are stateless you would allow established tcp
> packets, but would deny them with stateful rules. In the latter case,
> established traffic would be passed by the check-state
You need to pay attention to direction as well. Suppose you wanted to
permit outbound TCP connections using stateful rules. If em0 is the
outside interface of your firewall
If you're using stateful rules, you would do something like this:
ipfw add 1000 check-state
ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state
ipfw add 2550 deny tcp from any to any
The check-state rule checks for established dynamic flows, 2500
permits outbound TCP with SYN,!ACK (the first part of the 3-way
handshake), and 2550 denies all TCP traffic that is not permitted.
More information about the freebsd-questions
mailing list