From owner-freebsd-questions@FreeBSD.ORG  Sat Oct 22 16:55:04 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 76D33106566B
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 16:55:04 +0000 (UTC)
	(envelope-from rwmaillists@googlemail.com)
Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50])
	by mx1.freebsd.org (Postfix) with ESMTP id 01C168FC1A
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 16:55:03 +0000 (UTC)
Received: by wwi18 with SMTP id 18so6962991wwi.31
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 09:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=googlemail.com; s=gamma;
	h=date:from:to:subject:message-id:in-reply-to:references:x-mailer
	:mime-version:content-type:content-transfer-encoding;
	bh=HyhGizZdEYMAcyAb28ikVRigOMS2ceAo7IhCMjWUCPQ=;
	b=FolDYuznmvBtQaqVu/efWoEiDFlVIhzmTplpP3abEb3nUhHxKb/4dymGiq/z0JR63P
	wqbTWutvXuwAV+OqW2yobyZWyidthvvRtZ+4tbDPKSWSe226TLitaBWx32+y9CefLSkG
	AA9eCnMgtWlN3SINdx76cKiaybTTVl8m0j/mY=
Received: by 10.227.120.205 with SMTP id e13mr6934203wbr.98.1319302502790;
	Sat, 22 Oct 2011 09:55:02 -0700 (PDT)
Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk.
	[87.194.105.247]) by mx.google.com with ESMTPS id
	ei16sm28479338wbb.21.2011.10.22.09.55.00
	(version=SSLv3 cipher=OTHER); Sat, 22 Oct 2011 09:55:01 -0700 (PDT)
Date: Sat, 22 Oct 2011 17:54:56 +0100
From: RW <rwmaillists@googlemail.com>
To: freebsd-questions@freebsd.org
Message-ID: <20111022175456.0e7afccc@gumby.homeunix.com>
In-Reply-To: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl>
References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl>
X-Mailer: Claws Mail 3.7.10 (GTK+ 2.24.6; amd64-portbld-freebsd8.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: Configuring IPFW
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2011 16:55:04 -0000

On Sat, 22 Oct 2011 09:56:12 -0400
Carmel wrote:

> I am attempting to set up a firewall using IPFW with a stateful
> behavior.
> 
> While I have investigated how to set up these rules, I have run into
> conflicting opinions as to whether to all or deny "established"
> behavior.
> 
> EXAMPLE: (preceded by a "checkstate" rule)
> 
> allow tcp from any to any established
> 
> 
> Some documentation states that it should be denied and others say it
> should be allowed. Neither has given me a convincing reason to follow
> either scenario or any real documentation either for that fact.


Normally if the rules are stateless you would allow established tcp
packets, but would deny them with stateful rules. In the latter case,
established traffic would be passed by the check-state