From owner-freebsd-questions@FreeBSD.ORG  Sat Oct 22 17:09:53 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E4FF51065673
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 17:09:53 +0000 (UTC)
	(envelope-from kudzu@tenebras.com)
Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com
	[74.125.82.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 82F1B8FC1D
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 17:09:53 +0000 (UTC)
Received: by wyi40 with SMTP id 40so6367750wyi.13
	for <freebsd-questions@freebsd.org>;
	Sat, 22 Oct 2011 10:09:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.42.136 with SMTP id s8mr2638621wbe.28.1319303392342; Sat,
	22 Oct 2011 10:09:52 -0700 (PDT)
Received: by 10.180.81.193 with HTTP; Sat, 22 Oct 2011 10:09:52 -0700 (PDT)
In-Reply-To: <20111022175456.0e7afccc@gumby.homeunix.com>
References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl>
	<20111022175456.0e7afccc@gumby.homeunix.com>
Date: Sat, 22 Oct 2011 10:09:52 -0700
Message-ID: <CAHu1Y722=5P19QMbLJpUmEaiQKsdLFHe3OzCNFWz-UM_LhZ-KA@mail.gmail.com>
From: Michael Sierchio <kudzu@tenebras.com>
To: RW <rwmaillists@googlemail.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-questions@freebsd.org
Subject: Re: Configuring IPFW
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2011 17:09:54 -0000

On Sat, Oct 22, 2011 at 9:54 AM, RW <rwmaillists@googlemail.com> wrote:

> Normally if the rules are stateless you would allow established tcp
> packets, but would deny them with stateful rules. In the latter case,
> established traffic would be passed by the check-state

You need to pay attention to direction as well.  Suppose you wanted to
permit outbound TCP connections using stateful rules.  If em0 is the
outside interface of your firewall
If you're using stateful rules, you would do something like this:


ipfw add 1000 check-state
ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state
ipfw add 2550 deny tcp from any to any

The check-state rule checks for established dynamic flows, 2500
permits outbound TCP with SYN,!ACK (the first part of the 3-way
handshake), and 2550 denies all TCP traffic that is not permitted.