Date: Sat, 04 Oct 2003 19:06:02 +0200 From: Marcin Gryszkalis <mg@fork.pl> To: Roderick van Domburg <r.s.a.vandomburg@student.utwente.nl> Cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? Message-ID: <3F7EFDFA.4060703@fork.pl> In-Reply-To: <006b01c38a90$dea3b420$6ba55982@gog> References: <006b01c38a90$dea3b420$6ba55982@gog>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-10-04 18:02, Roderick van Domburg wrote: > I was pondering if blindly trailing every tcp rule with the 'setup' keyword > would incur any performance loss or security hazard. > allow tcp from any to {$ip} dst-port 80 setup > All services run just fine, but I was thinking that excluding 'setup' here > and there would make for a cleaner solution? For example, I don't think that > HTTP (even 1.1) requires the setup keyword does it? Please refer to ipfw manual *and* some TCP/IP reference. ipfw is TCP/IP level firewall, while HTTP is application level protocol (higher). ipfw knows nothing about HTTP. man ipfw says: setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. to make it work you must have also, the rule similar to following: allow tcp from any to any established You can try alternative approach - use 'stateful firewall' features of ipfw instead of setup/established pair (refer to ipfw man, tutorials, etc.) regards -- Marcin Gryszkalis jabber jid:mg@chrome.pl gg:2532994 http://fork.pl
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F7EFDFA.4060703>