From owner-freebsd-questions  Wed Sep  6  0: 9:16 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id E6D1D37B422
	for <questions@freebsd.org>; Wed,  6 Sep 2000 00:09:14 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 6 Sep 2000 00:08:08 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.9.3/8.9.3) id AAA08601;
	Wed, 6 Sep 2000 00:09:10 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 6 Sep 2000 00:09:10 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Daryl Chance <dchance@valuedata.net>
Cc: FreeBSD Questions <questions@FreeBSD.ORG>
Subject: Re: IPFW:  keep-state
Message-ID: <20000906000910.F69158@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <001d01c01744$e38c1f80$0200000a@mike>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <001d01c01744$e38c1f80$0200000a@mike>; from dchance@valuedata.net on Tue, Sep 05, 2000 at 09:23:40AM -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Sep 05, 2000 at 09:23:40AM -0500, Daryl Chance wrote:
> I'm looking to adding the keep-state options to my firewall
> rules.  What are the recommended places to put the keep-state
> options at? 

keep-state rules can be in a lot of different places. However, the
check-state rule should probably be towards the head of the list.

> I'm not quite sure what keep-state is, i've checked
> the man page and its not really helped much.  Does it basically
> create, specific dynamic fw rules? 

Yep.

> like:
> 
> add allow tcp from any to any 21 keep-state
> 
> does this become something like:
> 
> allow tcp from 1.2.3.4 to 3.2.4.1 21
> 
> ?  Or am I totally off the mark.

The source port would also be included and the reverse connection is
also part of the dynamic rule,

  allow tcp from 3.2.4.1 21 to 1.2.3.4 src_prt

What it is most useful for (but not the only use) is allowing the
reverse connection to an outgoing one. For example,

  allow tcp from ${ipo} to any keep-state

Basically will allow a TCP connection (two way communication) when
initiated by the local machine.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message