Date: Mon, 21 Feb 2000 15:15:34 +0100 (CET) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: "Nicolai Petri (ML)" <nppmf@swamp.dk> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state option in CURRENT. Message-ID: <200002211415.PAA93177@info.iet.unipi.it> In-Reply-To: <Pine.BSF.4.21.0002211505030.31151-100000@distortion.dk> from "Nicolai Petri (ML)" at "Feb 21, 2000 03:15:00 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> 1000 allow ip from ${MYIPADDR} to any keep-state
> 1100 allow ip from any to ${MYIPADD} 23 keep-state
> 1200 deny all from any to any
>
> In this setup when will the dynamic rules be deleted ?
> Is it when a incoming packet is hitting a deny rule or when there is more
> then X rules and a new dynamic rule is created ?
rule 1100 above is not even legal.
You should write the following rules
ipfw add 100 check-state
ipfw add 200 deny tcp from any to any established
ipfw add 1000 allow tcp from ${MYIPADDR} to any setup keep-state
ipfw add 1100 allow tcp from any to ${MYIPADDR} setup keep-state
ipfw add 2000 deny tcp from any to any
and then something else for other udp/tcp packets perhaps
ipfw add 1200 allow udp from ${MYIPADDR} to any keep-state
to let outgoing udp connections "open the firewall"
(note that rule 1100 will let request from the outside to be accepted,
maybe you want to restrict the allowed sources).
cheers
luigi
> ---
> Nicolai Petri
>
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002211415.PAA93177>