From owner-freebsd-questions@FreeBSD.ORG Sun Oct 23 14:05:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE8D16A41F for ; Sun, 23 Oct 2005 14:05:01 +0000 (GMT) (envelope-from ecrist@secure-computing.net) Received: from grog.secure-computing.net (grog.secure-computing.net [216.243.161.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 524F443D46 for ; Sun, 23 Oct 2005 14:05:00 +0000 (GMT) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.100] (snipe.secure-computing.net [216.243.161.77]) (authenticated bits=0) by grog.secure-computing.net (8.13.1/8.13.1) with ESMTP id j9NE9FO2011897 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT); Sun, 23 Oct 2005 09:09:15 -0500 (CDT) (envelope-from ecrist@secure-computing.net) DomainKey-Signature: a=rsa-sha1; s=grog; d=secure-computing.net; c=nofws; q=dns; h=in-reply-to:references:mime-version:content-type:message-id:cc: content-transfer-encoding:from:subject:date:to:x-mailer:x-spam-status:x-spam-checker-version; b=hfkqf8DG9CDH3G2aN9Eud0/h11aD74iY10X9U9Smj7GLtQfhdjCSRojkZbpKKgLB8 FvOo/leQQrjBqhRrKXubg== In-Reply-To: <20051023045343.27950.qmail@web35802.mail.mud.yahoo.com> References: <20051023045343.27950.qmail@web35802.mail.mud.yahoo.com> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <4950C291-2CC5-4042-BB56-42A8C95CAC90@secure-computing.net> Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Sun, 23 Oct 2005 09:04:29 -0500 To: John Do X-Mailer: Apple Mail (2.734) X-Spam-Status: No, score=-5.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on grog.secure-computing.net Cc: freebsd-questions@freebsd.org Subject: Re: IPFW equivalent of iptables --state ESTABLISHED, RELATED X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Oct 2005 14:05:01 -0000 On Oct 22, 2005, at 11:53 PM, John Do wrote: > Hi guys > > I'm having trouble with IPFW I need to allow user > initiated traffic IN but I can't > > Basically in iptables for Linux I would have used > something like > -A INPUT -p tcp -m tcp --state ESTABLISHED,RELATED -j > ACCEPT > > > Can someone help me discover what the equivalent > syntax in IPFW would be? > > I have tried to use "allow tcp from any to any > established in" but it doesn't work > > much appreciated > > thanks guys ! I'm not quite sure what you're trying to accomplish. If you just want traffic enabled so that when users are browsing the web they get the replies from their requests, that rule is written as: ipfw add ### allow ip from any to any established The rule won't allow new traffic in or out without other rules enabling it. An example ruleset could look like this: ipfw add 100 allow ip from me to any ipfw add 200 allow ip from 192.168.1.0/24 to any out via dc0 ipfw add 300 allow ip from any to any established ipfw add 400 deny ip from 192.168.1.0/24 to me in via dc0 ipfw add 500 allow ip from any to any via sk0 In this example, I'm assuming your FreeBSD machine is the network gateway. NIC dc0 is the outside NIC and sk0 is the internal one. HTH _______________________________________________________ Eric F Crist "I am so smart, S.M.R.T!" Secure Computing Networks -Homer J Simpson