Date: Mon, 15 Jul 2002 21:04:17 +0200 From: Marc Olzheim <marcolz@stack.nl> To: "Dmitry S. Rzhavin" <dima@rt.ru> Cc: security@FreeBSD.ORG Subject: Re: ipfw and keep-state Message-ID: <20020715190417.GA72114@stack.nl> In-Reply-To: <3D32D849.E3D8F2BE@rt.ru> References: <3D32D849.E3D8F2BE@rt.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> 10 pass tcp from any to ip2 in keep-state setup > ... nothing interesting here > 20 deny tcp from any to ip2 > > > Or, in other words, I want to pre-auth some packet with rile 10 to > check it later. Then, I decide to drop it. > But ipfw creates dynamic rule "inet <-> ip1" and passes this > session. I think this is not good. Why does ipfw works this way? "in" is just used to match packets not originating from, or, routed by your machine. The action "pass" is what happens if the rule matches. The actions are not split into "in", "bridge" and "out"... It's just "accept", "deny" or "skipto". (and count, fwd, reset, divert, etc. but:) The first three are enought to handle this: 10 skipto 20 tcp from any to ip2 in setup ... 20 deny tcp from any to ip2 Zlo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020715190417.GA72114>