Date: Sat, 22 Oct 2011 10:09:52 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: RW <rwmaillists@googlemail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Configuring IPFW Message-ID: <CAHu1Y722=5P19QMbLJpUmEaiQKsdLFHe3OzCNFWz-UM_LhZ-KA@mail.gmail.com> In-Reply-To: <20111022175456.0e7afccc@gumby.homeunix.com> References: <BLU0-SMTP235296774800AA3D588B52193E90@phx.gbl> <20111022175456.0e7afccc@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 22, 2011 at 9:54 AM, RW <rwmaillists@googlemail.com> wrote: > Normally if the rules are stateless you would allow established tcp > packets, but would deny them with stateful rules. In the latter case, > established traffic would be passed by the check-state You need to pay attention to direction as well. Suppose you wanted to permit outbound TCP connections using stateful rules. If em0 is the outside interface of your firewall If you're using stateful rules, you would do something like this: ipfw add 1000 check-state ipfw add 2500 allow tcp from any to any out xmit em0 setup keep-state ipfw add 2550 deny tcp from any to any The check-state rule checks for established dynamic flows, 2500 permits outbound TCP with SYN,!ACK (the first part of the 3-way handshake), and 2550 denies all TCP traffic that is not permitted.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y722=5P19QMbLJpUmEaiQKsdLFHe3OzCNFWz-UM_LhZ-KA>