Date: Sat, 04 Oct 2003 19:06:02 +0200 From: Marcin Gryszkalis <mg@fork.pl> To: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl> Cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? Message-ID: <3F7EFDFA.4060703@fork.pl> In-Reply-To: <006b01c38a90$dea3b420$6ba55982@gog> References: <006b01c38a90$dea3b420$6ba55982@gog>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-10-04 18:02, Roderick van Domburg wrote:
> I was pondering if blindly trailing every tcp rule with the 'setup' keyword
> would incur any performance loss or security hazard.
> allow tcp from any to {$ip} dst-port 80 setup
> All services run just fine, but I was thinking that excluding 'setup' here
> and there would make for a cleaner solution? For example, I don't think that
> HTTP (even 1.1) requires the setup keyword does it?
Please refer to ipfw manual *and* some TCP/IP reference.
ipfw is TCP/IP level firewall, while HTTP is application level
protocol (higher). ipfw knows nothing about HTTP.
man ipfw says:
setup Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of ``tcpflags syn,!ack''.
to make it work you must have also, the rule similar to following:
allow tcp from any to any established
You can try alternative approach - use 'stateful firewall' features
of ipfw instead of setup/established pair (refer to ipfw man, tutorials, etc.)
regards
--
Marcin Gryszkalis
jabber jid:mg@chrome.pl
gg:2532994
http://fork.pl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F7EFDFA.4060703>