Date: Fri, 04 Apr 2008 10:51:47 +0200 From: Ivan Voras <ivoras@freebsd.org> To: freebsd-net@freebsd.org Subject: Re: Trouble with IPFW or TCP? Message-ID: <ft4q79$ub9$1@ger.gmane.org> In-Reply-To: <47F5748F.9050207@elischer.org> References: <ft3phn$ai3$1@ger.gmane.org> <20080403234059.GA53417@owl.midgard.homeip.net> <ft3qji$cr9$1@ger.gmane.org> <47F5748F.9050207@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig856CFB6FE3BCEC37C20C2631 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Julian Elischer wrote: > Ivan Voras wrote: >> Not according to the ipfw(8) manual: >> >> """ >> These dynamic rules, which have a limited lifetime, are checked >> at the >> first occurrence of a check-state, keep-state or limit rule, and >> are typ- >> ically used to open the firewall on-demand to legitimate traffic >> only. >> See the STATEFUL FIREWALL and EXAMPLES Sections below for more >> informa- >> tion on the stateful behaviour of ipfw. >> """ >> >> I read this to mean the dynamic rules are checked at rule #5000 from >> the above list. Is there an advantage to having an explicit >> check-state rule in simple rulesets like this one? >=20 > the docs are wrong then I think. Ok, but: - The connections work. If keep-states don't include implicit check-state somewhere, the behaviour should be as if there's no "keep-state" option to the rules, i.e. only the "setup" (syn,!ack) packet would pass, which would prevent TCP connections to happen (from experience I know that omitting keep-state works just like that). - The same behaviour works on other machines (no explicit check-state) ranging from 5.x to 7-STABLE. - I've been using ipfw this way since FreeBSD 4.4 or something like that, without described problems. The other machine with 7.x also doesn't have check-state and works. --------------enig856CFB6FE3BCEC37C20C2631 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFH9ewpldnAQVacBcgRAiJfAKCZu43WCHtWPJavBNz/rD8ay+BFQgCglJSw 63DXqyAP9Cph4ZfYHbr0Pso= =DHsL -----END PGP SIGNATURE----- --------------enig856CFB6FE3BCEC37C20C2631--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ft4q79$ub9$1>