From owner-freebsd-net@FreeBSD.ORG Thu Mar 18 15:58:44 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD5B316A4CE for ; Thu, 18 Mar 2004 15:58:44 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 53CDF43D31 for ; Thu, 18 Mar 2004 15:58:44 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 21531 invoked from network); 18 Mar 2004 23:58:43 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 18 Mar 2004 23:58:43 -0000 X-pair-Authenticated: 209.68.2.70 Date: Thu, 18 Mar 2004 17:58:42 -0600 (CST) From: Mike Silbersack To: Tomi Kaistila In-Reply-To: <20040318234957.WNT17548.fep17.inet.fi@zeus> Message-ID: <20040318175650.O1495@odysseus.silby.com> References: <20040318234957.WNT17548.fep17.inet.fi@zeus> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-net@freebsd.org Subject: Re: Filtering established connection in ipfw X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2004 23:58:44 -0000 On Fri, 19 Mar 2004, Tomi Kaistila wrote: > My question is, can I make a rule that allows such replies to pass the > packet filter, but to drop if it is not such a reply or similar signal? I > tried using the setup and established flags but either I did something wrong > or it just didn't work out that way. > > -- > Tomi What you want is a stateful firewall, aka dynamic firewall rules. Just use ipfw add allow ip from yourip to any keep-state And ipfw will do what you want. This is described in the ipfw manpage, although it's perhaps not explained as well as it could be. Mike "Silby" Silbersack