Date: Sun, 6 Apr 2003 06:10:38 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Robin Ericsson <lobbin@localhost.nu> Cc: freebsd-questions@freebsd.org Subject: Re: input on ipfw rules Message-ID: <20030406031038.GB4130@gothmog.gr> In-Reply-To: <008d01c2fbac$86dcf710$0401a8c0@metis> References: <008d01c2fbac$86dcf710$0401a8c0@metis>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2003-04-05 21:49, Robin Ericsson <lobbin@localhost.nu> wrote: > > I would like to get some input of these rules I'm currenly using. > > I come from a linux/cisco background, so I want to know how bad these > are :) mostly my questions are the keep-state stuff. I guess 00235 can > go, as I think that one allows all trafic from that specific ip if > already connected elsewhere? True. > ipfw add 00230 check-state > ipfw add 00235 allow tcp from any to any in established You don't need both of these... The 'established' one can safely go away if you make it a habbit of writing rules with 'keep-state' as shown below: > # ssh > ipfw add 00700 allow tcp from any to me 22 keep-state - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030406031038.GB4130>