From owner-freebsd-questions Fri Aug 17 1:23:20 2001 Delivered-To: freebsd-questions@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id 082D337B412 for ; Fri, 17 Aug 2001 01:23:12 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (pool0642.cvx20-bradley.dialup.earthlink.net [209.179.252.132]) by hawk.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id BAA13235; Fri, 17 Aug 2001 01:23:06 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7H8N4R08392; Fri, 17 Aug 2001 01:23:04 -0700 (PDT) (envelope-from cjc) Date: Fri, 17 Aug 2001 01:23:04 -0700 From: "Crist J. Clark" To: default - Subscriptions Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Question about IPFW keep-state Message-ID: <20010817012304.Q4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from default013subscriptions@hotmail.com on Thu, Aug 16, 2001 at 05:57:30PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Aug 16, 2001 at 05:57:30PM -0500, default - Subscriptions wrote: > Hi, > > I am considering using some keep-state rules in my firewall code, however I > would like some clarification on what keep-state actually does... > > I read the man page on it and it says that this is a dynamic ruleset... > which I don't quite understand either... it sounds as if it may be more > complicated than it seems... > > Do the rulesets below work that simply? Or is there more to this that is not > so easily understood? (such as a deeper ruleset for the basic dynamic > rulesets to follow, modifications to IPFW, or NATD (which I don't use right > now...) > > ex.: > > add allow udp from to any keep-state # Allow outgoing UDP and > responses (mainly for DNS) You might want to make that tighter, add allow udp from to any 53 keep-state > allow icmp from to any keep-state # Allow outgoing ICMP > and responses (traceroutes and pings...) traceroute(8) does send ICMP and ipfw(8) keeps state on ICMP by passing any legal ICMP through the keep-state rule (e.g. if you ping machine A, not only can the echo replies come back from A, but A can send echo requests to you and they pass since they are ICMP). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message