Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 20 Mar 2003 11:56:36 -0800
From:      James Long <list@museum.rain.com>
To:        Giorgos Keramidas <keramida@FreeBSD.ORG>
Cc:        Drew Tomlinson <drew@mykitchentable.net>, freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW - "keep-state/check-state" And "setup/established" Confusion
Message-ID:  <20030320115636.A37330@ns.museum.rain.com>
In-Reply-To: <20030320165232.GB6347@gothmog.gr>; from keramida@FreeBSD.ORG on Thu, Mar 20, 2003 at 06:52:32PM %2B0200
References:  <00d401c2ee6e$0abf07e0$6e2a6ba5@tagalong> <20030320165232.GB6347@gothmog.gr>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Mar 20, 2003 at 06:52:32PM +0200, Giorgos Keramidas wrote:

> > use "keep-state/check-state" for everything by adding my check-state
> > rule near the top and then adding the following rule for incoming
> > services:
> >
> > ipfw add allow ip from any to $inwr 21,22,25,80 keep-state
> 
> As a matter of fact, you should.  The 'established' keyword is not as
> nice as a real, stateful firewall (which {keep,check}-state gives you).

A learning question:  First, I am working from the understanding that
the keep-state flag results in _one_ rule from any to $inwr, but creates
the complementary "$inwr to any" rules for the return traffic on an dynam-
ic basis, and that there is one dynamic rule for each connection that is
active at the time.  I welcome enlightenment if I am mistaken in this.

Given that one wants to run those four ports wide open to the world, won't 
"keep-state" result in the firewall creating N dynamic rules for the return 
traffic, where N is the number of connections open to those four ports?  
When N is large (i.e., when there are many connections to those ports), 
would it not result in fewer firewall rule comparisons to just run them 
wide open and be done with it?

If one accepts traffic from anyone coming in to those ports, what is to
be gained by restricting the IPs to which our server can send return
traffic from those ports?

ipfw add allow ip from any to $inwr 21,22,25,80
ipfw add allow ip from $inwr 21,22,25,80 to any

Wouldn't this result in a maximum of two rules, instead of N + 1?




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030320115636.A37330>