Date: Sat, 21 Apr 2012 09:08:28 -0700 From: Chuck Swiger <cswiger@mac.com> To: "Dmitry S. Kasterin" <dmk.sbor@gmail.com> Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: Stateful IPFW - too many connections in FIN_WAIT_2 or LAST_ACK states Message-ID: <4D11B17F-B0D4-4F71-A597-4A309D39C7B4@mac.com> In-Reply-To: <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ@mail.gmail.com> References: <CAJkxAbyMEYZ4pYu=z4Sfwdqtzh=PjhHE4qrbSsyL34YE9TnXZQ@mail.gmail.com> <CAJkxAbyi7hx9Dugtw5-Md1y77JRzOu3bygS8ntfQg%2Bkw1KZ63w@mail.gmail.com> <CAN6yY1uRrfv0Bdeb%2Btosna8O8ajD_H1j7N=akL7PS8XC3X09qA@mail.gmail.com> <CAHu1Y72HG00_yv0wyk_7rRC1bb0SNa%2BcEOoXZTALV6bkBj207g@mail.gmail.com> <CAN6yY1s608M5coYP76OvBvOqd5HqZFyaiVb8PdviGFVN-Do1sg@mail.gmail.com> <CAJkxAbyG1%2Bkc8C_V8Ehr7cuYuaGm0VQ1C6gfXJUp1_7Vh4_zug@mail.gmail.com> <CAJkxAbwYUtcyXGFEiXiZXLEzf9EPTTwdq1-y-ngT6OuKXk1o2A@mail.gmail.com> <CAN6yY1tHvKhk4PLTmS6Yv9PvNoKdBV_fhR5UhKM2_ua8zh-d0Q@mail.gmail.com> <CAJkxAbxwc1Xq7S9Hvkwg-ZtTW5GpOWv9ceHYRCa_WBJipS54%2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 21, 2012, at 4:41 AM, Dmitry S. Kasterin wrote: > The "DYNAMIC RULES" section gives the following recommendation: > ipfw add check-state > ipfw add deny tcp from any to any established > ipfw add allow tcp from my-net to any setup keep-state > > Is the second rule necessary? If your security policy is "default deny", then yes. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D11B17F-B0D4-4F71-A597-4A309D39C7B4>