Date: Tue, 18 Apr 2006 02:43:29 +0100 From: RW <list-freebsd-2004@morbius.sent.com> To: freebsd-questions@freebsd.org Subject: Re: IPFW Problems? Message-ID: <200604180243.31390.list-freebsd-2004@morbius.sent.com> In-Reply-To: <444427F4.2070405@mac.com> References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <20060417224415.GY32062@bunrab.catwhisker.org> <444427F4.2070405@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 18 April 2006 00:42, Chuck Swiger wrote: > David Wolfskill wrote: > > I thought check-state was fairly optional; ref: > > > > These dynamic rules, which have a limited lifetime, are checked at > > the first occurrence of a check-state, keep-state or limit rule, and are > > typ- ically used to open the firewall on-demand to legitimate traffic > > only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > informa- tion on the stateful behaviour of ipfw. > > > > (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" > isn't going to match inbound established traffic, right? But the man page doesn't say *matching* rule, it says: " the first occurrence of a check-state, keep-state or limit rule". It is pretty vague though. The inference I take from this is that check-state mostly exists so you can force an early, fast hash-table lookup.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200604180243.31390.list-freebsd-2004>