From owner-freebsd-questions@FreeBSD.ORG Tue Apr 18 01:43:35 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 033A616A400 for ; Tue, 18 Apr 2006 01:43:35 +0000 (UTC) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AE0B43D46 for ; Tue, 18 Apr 2006 01:43:34 +0000 (GMT) (envelope-from list-freebsd-2004@morbius.sent.com) Received: from frontend2.internal (frontend2.internal [10.202.2.151]) by frontend1.messagingengine.com (Postfix) with ESMTP id B7DB0D4C353 for ; Mon, 17 Apr 2006 21:43:32 -0400 (EDT) Received: from frontend3.messagingengine.com ([10.202.2.152]) by frontend2.internal (MEProxy); Mon, 17 Apr 2006 21:43:02 -0400 X-Sasl-enc: PkEFGz60VLakCqc3AjCwzTCd1TYFC7uGwSioMRBbowa4 1145324581 Received: from bb-87-81-140-128.ukonline.co.uk (bb-87-81-140-128.ukonline.co.uk [87.81.140.128]) by frontend3.messagingengine.com (Postfix) with ESMTP id A7B9E8896 for ; Mon, 17 Apr 2006 21:43:01 -0400 (EDT) From: RW To: freebsd-questions@freebsd.org Date: Tue, 18 Apr 2006 02:43:29 +0100 User-Agent: KMail/1.9.1 References: <71010EE4-5C3E-48D9-8634-3605CE86F8C5@allresearch.com> <20060417224415.GY32062@bunrab.catwhisker.org> <444427F4.2070405@mac.com> In-Reply-To: <444427F4.2070405@mac.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200604180243.31390.list-freebsd-2004@morbius.sent.com> Subject: Re: IPFW Problems? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2006 01:43:35 -0000 On Tuesday 18 April 2006 00:42, Chuck Swiger wrote: > David Wolfskill wrote: > > I thought check-state was fairly optional; ref: > > > > These dynamic rules, which have a limited lifetime, are checked at > > the first occurrence of a check-state, keep-state or limit rule, and are > > typ- ically used to open the firewall on-demand to legitimate traffic > > only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > informa- tion on the stateful behaviour of ipfw. > > > > (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" > isn't going to match inbound established traffic, right? But the man page doesn't say *matching* rule, it says: " the first occurrence of a check-state, keep-state or limit rule". It is pretty vague though. The inference I take from this is that check-state mostly exists so you can force an early, fast hash-table lookup.