ipfw setup keyword - with and without ...

javocado javocado at gmail.com
Thu Nov 16 19:30:11 UTC 2017


Here are two simple rulesets:
Code:

10 allow tcp from any to any established
20 allow tcp from any to any 22
65535 deny ip from any to any


OR:
Code:

10 allow tcp from any to any established
20 allow tcp from any to any 22 setup
65535 deny ip from any to any


The difference is that the second ruleset has 'setup' modifying the rule
that lets in the traffic we want.

>From what I can tell, in actual day to day use, these two rulesets behave
identically.

Am I correct:

I *think* the difference between these is that the second ruleset (with
'setup') is slightly stricter because TCP *fragments* that are not part of
any connection would be allowed through the first ruleset, but would be
blocked by the second ruleset.

Because only a TCP fragment would be *neither* part of connection setup
*nor* part of an established connection.

Is that correct ?


More information about the freebsd-questions mailing list