From owner-freebsd-questions@FreeBSD.ORG  Thu May 22 05:18:56 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4D6A837B401
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2003 05:18:56 -0700 (PDT)
Received: from server1.shellworld.net (server1.shellworld.net [64.39.15.178])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8764543FA3
	for <freebsd-questions@freebsd.org>;
	Thu, 22 May 2003 05:18:55 -0700 (PDT)
	(envelope-from tforrest@shellworld.net)
Received: from server1.shellworld.net (tforrest@LOCALHOST [127.0.0.1])
	h4MCIsWP057967;	Thu, 22 May 2003 07:18:54 -0500 (CDT)
	(envelope-from tforrest@shellworld.net)
Received: from localhost (tforrest@localhost)h4MCIsSD057964;
	Thu, 22 May 2003 07:18:54 -0500 (CDT)
	(envelope-from tforrest@shellworld.net)
X-Authentication-Warning: server1.shellworld.net: tforrest owned process doing
	-bs
Date: Thu, 22 May 2003 07:18:54 -0500 (CDT)
From: Tommy Forrest <tforrest@shellworld.net>
To: Chuck Swiger <cswiger@mac.com>
In-Reply-To: <3ECC2480.8040805@mac.com>
Message-ID: <Pine.BSF.4.55.0305220716460.57830@server1.shellworld.net>
References: <EGEDIDPPMCIONDEPOLNFOEDMCLAA.andras@kende.com>
	<3ECC2480.8040805@mac.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: Andras Kende <andras@kende.com>
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw rules for low-end server??
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 May 2003 12:18:56 -0000

On Wed, 21 May 2003, Chuck Swiger wrote:

---snip---
>
> > Should I use ipfw "dynamic" or "stateful" rules?
>
> Given that you are doing NAT, you might try using dynamic rules
> (keep-state/check-state), but how you configure your firewall rules
> should be based more on what's simple, easy to understand, and does the job.
>
And if you can actually get dynamic rules to work w/o timing out on you in
25 seconds on FBSD 4.8, please, let me know.  I've about pulled out the
last hair on my head with the install of 4.8 I have.  Telnet out, let it
sit for 25 seconds and bickitie bam, no more connection - even though
checking the rules, shows the telnet rule has 275 seconds left before a
keep-alive test.  Problem exists with ipfw2 as well.