Date: Thu, 20 Mar 2003 09:22:20 -0800 From: "Drew Tomlinson" <drew@mykitchentable.net> To: "Giorgos Keramidas" <keramida@freebsd.org> Cc: <freebsd-questions@freebsd.org> Subject: Re: IPFW - "keep-state/check-state" And "setup/established" Confusion Message-ID: <000a01c2ef05$43ed1100$6e2a6ba5@tagalong> References: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> <20030320165232.GB6347@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Giorgos Keramidas" <keramida@freebsd.org> To: "Drew Tomlinson" <drew@mykitchentable.net> Cc: <freebsd-questions@freebsd.org> Sent: Thursday, March 20, 2003 8:52 AM > On 2003-03-19 15:19, Drew Tomlinson <drew@mykitchentable.net> wrote: >> I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. >> I used the rule set at >> >> http://www.bsdtoday.com/2000/December/rc.firewall.current >> >> as an example but am confused regarding the differences between >> setting rules using "setup/established" and "keep-state / >> check-state". I've read the ipfw man page and understand that >> "setup/established" matches syn/ack bits in a packet where >> "keep-state/check-state" actually creates a dynamic rule. >> But not being real knowledgeable about how IP packets are >> constructed, I'm not sure what this means in the real world. > >It means that `established' uses a very simple test of packet contents >to find out if this packet belongs to an existing connection. This >simple test is "good enough" for some packets, but will match packets >that are not part of a real, existing connection too. > >> If I understand it correctly, the example at BSDToday basically uses >> "setup/established" to allow traffic in for services that I allow. >> So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the >> rule set uses "keep-state/check-state" for connections originating >> from my internal network to the outside world. But why should I not >> use "keep-state/check-state" for everything by adding my check-state >> rule near the top and then adding the following rule for incoming >> services: >> >> ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > >As a matter of fact, you should. The 'established' keyword is not as >nice as a real, stateful firewall (which {keep,check}-state gives you). > >> I've actually done this and it is working but I'd like to know if >> this is a good or bad idea and why. > >In a reply to a private message, a few weeks ago, I tried to explain >the different to someone. Here's the message, without any names. >I hope this helps a bit :-) Thank you for the explaination. It does help. One other question I have is that I never see the "check-state" packet count incrementing. However I vaguely recall reading somewhere that it doesn't, even when packets pass via the rule. Is this correct? I'm happy to know that the "keep/check-state" rules are the way to go. It makes my rule set simpler too. Now on to traffic prioritization via dummynet! :) Thanks again, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000a01c2ef05$43ed1100$6e2a6ba5>