Date: Fri, 17 Aug 2001 01:23:04 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: default - Subscriptions <default013subscriptions@hotmail.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Question about IPFW keep-state Message-ID: <20010817012304.Q4232@blossom.cjclark.org> In-Reply-To: <OE34lpT5HaAIcQfjodS0000d737@hotmail.com>; from default013subscriptions@hotmail.com on Thu, Aug 16, 2001 at 05:57:30PM -0500 References: <OE34lpT5HaAIcQfjodS0000d737@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Aug 16, 2001 at 05:57:30PM -0500, default - Subscriptions wrote: > Hi, > > I am considering using some keep-state rules in my firewall code, however I > would like some clarification on what keep-state actually does... > > I read the man page on it and it says that this is a dynamic ruleset... > which I don't quite understand either... it sounds as if it may be more > complicated than it seems... > > Do the rulesets below work that simply? Or is there more to this that is not > so easily understood? (such as a deeper ruleset for the basic dynamic > rulesets to follow, modifications to IPFW, or NATD (which I don't use right > now...) > > ex.: > > add allow udp from <myip> to any keep-state # Allow outgoing UDP and > responses (mainly for DNS) You might want to make that tighter, add allow udp from <myip> to any 53 keep-state > allow icmp from <myip> to any keep-state # Allow outgoing ICMP > and responses (traceroutes and pings...) traceroute(8) does send ICMP and ipfw(8) keeps state on ICMP by passing any legal ICMP through the keep-state rule (e.g. if you ping machine A, not only can the echo replies come back from A, but A can send echo requests to you and they pass since they are ICMP). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010817012304.Q4232>