From owner-freebsd-ipfw@FreeBSD.ORG Sat Oct 4 10:06:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 89D2016A4B3 for ; Sat, 4 Oct 2003 10:06:17 -0700 (PDT) Received: from imul.math.uni.lodz.pl (imul.math.uni.lodz.pl [212.191.65.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C6BF43F75 for ; Sat, 4 Oct 2003 10:06:16 -0700 (PDT) (envelope-from mg@fork.pl) Received: from localhost (localhost.math.uni.lodz.pl [127.0.0.1]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id CCF0C1F34; Sat, 4 Oct 2003 19:05:32 +0200 (CEST) Received: from by localhost (amavisd-new, port ) id LEJPB7WX; Sat, 4 Oct 2003 19:05:32 +0200 (CEST) Received: from fork.pl (imul.math.uni.lodz.pl [212.191.65.2]) by imul.math.uni.lodz.pl (Mail Transport Agent) with ESMTP id BA2DB1F0A; Sat, 4 Oct 2003 19:05:31 +0200 (CEST) Message-ID: <3F7EFDFA.4060703@fork.pl> Date: Sat, 04 Oct 2003 19:06:02 +0200 From: Marcin Gryszkalis Organization: fork.pl User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030827 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: Roderick van Domburg References: <006b01c38a90$dea3b420$6ba55982@gog> In-Reply-To: <006b01c38a90$dea3b420$6ba55982@gog> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavis/mks_vir at math.uni.lodz.pl cc: freebsd-ipfw@freebsd.org Subject: Re: When to use setup keyword? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Oct 2003 17:06:17 -0000 On 2003-10-04 18:02, Roderick van Domburg wrote: > I was pondering if blindly trailing every tcp rule with the 'setup' keyword > would incur any performance loss or security hazard. > allow tcp from any to {$ip} dst-port 80 setup > All services run just fine, but I was thinking that excluding 'setup' here > and there would make for a cleaner solution? For example, I don't think that > HTTP (even 1.1) requires the setup keyword does it? Please refer to ipfw manual *and* some TCP/IP reference. ipfw is TCP/IP level firewall, while HTTP is application level protocol (higher). ipfw knows nothing about HTTP. man ipfw says: setup Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of ``tcpflags syn,!ack''. to make it work you must have also, the rule similar to following: allow tcp from any to any established You can try alternative approach - use 'stateful firewall' features of ipfw instead of setup/established pair (refer to ipfw man, tutorials, etc.) regards -- Marcin Gryszkalis jabber jid:mg@chrome.pl gg:2532994 http://fork.pl