From owner-freebsd-questions Thu Mar 20 9:22:26 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F2037B404; Thu, 20 Mar 2003 09:22:24 -0800 (PST) Received: from blacklamb.mykitchentable.net (207-173-254-106.bras01.elk.ca.frontiernet.net [207.173.254.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id A916543F3F; Thu, 20 Mar 2003 09:22:22 -0800 (PST) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with SMTP id BC055EE53D; Thu, 20 Mar 2003 09:22:20 -0800 (PST) Message-ID: <000a01c2ef05$43ed1100$6e2a6ba5@tagalong> From: "Drew Tomlinson" To: "Giorgos Keramidas" Cc: References: <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> <20030320165232.GB6347@gothmog.gr> Subject: Re: IPFW - "keep-state/check-state" And "setup/established" Confusion Date: Thu, 20 Mar 2003 09:22:20 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ----- Original Message ----- From: "Giorgos Keramidas" To: "Drew Tomlinson" Cc: Sent: Thursday, March 20, 2003 8:52 AM > On 2003-03-19 15:19, Drew Tomlinson wrote: >> I'm using ipfw2 to setup a firewall on 4.8-RC for my home network. >> I used the rule set at >> >> http://www.bsdtoday.com/2000/December/rc.firewall.current >> >> as an example but am confused regarding the differences between >> setting rules using "setup/established" and "keep-state / >> check-state". I've read the ipfw man page and understand that >> "setup/established" matches syn/ack bits in a packet where >> "keep-state/check-state" actually creates a dynamic rule. >> But not being real knowledgeable about how IP packets are >> constructed, I'm not sure what this means in the real world. > >It means that `established' uses a very simple test of packet contents >to find out if this packet belongs to an existing connection. This >simple test is "good enough" for some packets, but will match packets >that are not part of a real, existing connection too. > >> If I understand it correctly, the example at BSDToday basically uses >> "setup/established" to allow traffic in for services that I allow. >> So in my case I would use it for FTP, SMTP, SSH, and HTTP. Then the >> rule set uses "keep-state/check-state" for connections originating >> from my internal network to the outside world. But why should I not >> use "keep-state/check-state" for everything by adding my check-state >> rule near the top and then adding the following rule for incoming >> services: >> >> ipfw add allow ip from any to $inwr 21,22,25,80 keep-state > >As a matter of fact, you should. The 'established' keyword is not as >nice as a real, stateful firewall (which {keep,check}-state gives you). > >> I've actually done this and it is working but I'd like to know if >> this is a good or bad idea and why. > >In a reply to a private message, a few weeks ago, I tried to explain >the different to someone. Here's the message, without any names. >I hope this helps a bit :-) Thank you for the explaination. It does help. One other question I have is that I never see the "check-state" packet count incrementing. However I vaguely recall reading somewhere that it doesn't, even when packets pass via the rule. Is this correct? I'm happy to know that the "keep/check-state" rules are the way to go. It makes my rule set simpler too. Now on to traffic prioritization via dummynet! :) Thanks again, Drew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message