Date: Fri, 19 Mar 2004 01:50:10 +0200 From: "Tomi Kaistila" <tomi.kaistila@datamike.org> To: <freebsd-net@freebsd.org> Subject: Filtering established connection in ipfw Message-ID: <20040318234957.WNT17548.fep17.inet.fi@zeus>
next in thread | raw e-mail | index | archive | help
Hello I've just sometime ago got a second computer, I installed FreebSD 5.2 on it, full installation and I'm on my way of making a server out of it. Basically from the beginning, I've been struggling with ipfw, to make up a good ruleset. I've enabled IPFIREWALL in the kernel. My philosophy is, if it's not in the rules deny it. I have a very strict ruleset at the moment, only allowing connections to certain services and all from designated ports. All other connections are denied. My problem is that this also hinders my use of Internet from this machine. Although I have a rule that allows all connection from the server to outside, many connections spawn a reply. i.e. if I ping an address, I must also enable icmp from the outside world to my machine to receive the reply. My question is, can I make a rule that allows such replies to pass the packet filter, but to drop if it is not such a reply or similar signal? I tried using the setup and established flags but either I did something wrong or it just didn't work out that way. -- Tomi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040318234957.WNT17548.fep17.inet.fi>