From owner-freebsd-questions@FreeBSD.ORG  Wed Feb 23 16:49:41 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0345316A4CE
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2005 16:49:41 +0000 (GMT)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A282043D2F
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2005 16:49:40 +0000 (GMT)
	(envelope-from dot.sn1tch@gmail.com)
Received: by wproxy.gmail.com with SMTP id 69so1309309wra
	for <freebsd-questions@freebsd.org>;
	Wed, 23 Feb 2005 08:49:40 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding;
	b=aerY3qm0ZXfT+Qt2Y04o0EcVYE6l2eydew5uRNMMsN2tkuADS6ThOtoKeecmitSjM+2+UrkX7UMY13taHBOx6EKUBVgmvn89quy9pCcdcGVKSErqCEQdUYNeW6R+Qwys96nqVUK36VitqbglZMF6OEYpzSGKFKYeooUWEjYFA+8=
Received: by 10.54.33.28 with SMTP id g28mr103970wrg;
        Wed, 23 Feb 2005 08:49:39 -0800 (PST)
Received: by 10.54.31.19 with HTTP; Wed, 23 Feb 2005 08:49:39 -0800 (PST)
Message-ID: <a82b971905022308491dfd1706@mail.gmail.com>
Date: Wed, 23 Feb 2005 11:49:39 -0500
From: sn1tch <dot.sn1tch@gmail.com>
To: freebsd-questions@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: ipfw and nmap
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: sn1tch <dot.sn1tch@gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2005 16:49:41 -0000

I am fairly new to IPFW, I have question regarding the stateful part
of it. Now I may just be misunderstanding this so set me straight if I
am. From what I understand when you add a check-state rule and then
following that a rule to keep-state, if a packet destined for that
port is new and "setup" was not added to the keep-state rule then
wouldn't it get denied at the check-state rule since keep-state did
not add a dynamic rule? My problem is this, and again this may not
even be correct but I have a bsd box that is simply providing me SSH
capabilities..here are the rules for it:

add check-state
add allow all from any to any 22 in via fxp0 keep-state
then the default to deny rule.

Now is there a way to allow setup connections but disallow port
scanners like nmap from seeing it as being open?

Thanks for any help