Date: Sat, 12 Oct 2002 15:08:00 -0400 From: Dan Pelleg <daniel+fbsdq@pelleg.org> To: questions@FreeBSD.ORG Cc: "JoeB" <barbish@a1poweruser.com> Subject: Re: How to use natd -punch_fw Message-ID: <15784.29456.571349.96950@gargle.gargle.HOWL>
next in thread | raw e-mail | index | archive | help
> How do I know how many lines in the ipfw rules file to reserve > for the -punch_fw function? > I can code 2 keep-state rules to allow passive FTP in & out. Exactly "count" lines (the number after the colon in the punch_fw statement). > What kind of dynamic ipfw rules is -punch_fw creating and > inserting into the ipfw rules table on the fly? > (stateless, setup/establisted, keep-state/check-state) They're entries in the table. That table only records dest/src IP and port numbers, but not any more state. Filtered packets are checked against table entries and are allowed in if they match. keep-state/check-state is just a label on the rule that you would use to create such an entry (conditioned on seeing the right kind of packet, for example setup/established), but it makes no sense to talk about it in the context of an entry once it has been created. So the answer is: natd will simply create an entry in that table. Here's an experiment you can do: add the punch_fw statement, start a FTP session, and repeatedly watch the generated rules with "ipfw -d show". You'll see what gets created, when, and when it's removed. A good place to post your other questions would be the freebsd-ipfw mailing list; Luigi Rizzo hangs out there and he'll most certainly be able to answer them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15784.29456.571349.96950>