ipfw setup keyword - with and without ...
javocado
javocado at gmail.com
Thu Nov 16 19:30:11 UTC 2017
Here are two simple rulesets:
Code:
10 allow tcp from any to any established
20 allow tcp from any to any 22
65535 deny ip from any to any
OR:
Code:
10 allow tcp from any to any established
20 allow tcp from any to any 22 setup
65535 deny ip from any to any
The difference is that the second ruleset has 'setup' modifying the rule
that lets in the traffic we want.
>From what I can tell, in actual day to day use, these two rulesets behave
identically.
Am I correct:
I *think* the difference between these is that the second ruleset (with
'setup') is slightly stricter because TCP *fragments* that are not part of
any connection would be allowed through the first ruleset, but would be
blocked by the second ruleset.
Because only a TCP fragment would be *neither* part of connection setup
*nor* part of an established connection.
Is that correct ?
More information about the freebsd-questions
mailing list