From owner-freebsd-ipfw Tue Oct 24 18:29:48 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from ICSI.Berkeley.EDU (fruitcake.ICSI.Berkeley.EDU [192.150.186.11]) by hub.freebsd.org (Postfix) with ESMTP id 2D80337B479 for ; Tue, 24 Oct 2000 18:29:46 -0700 (PDT) Received: from fondue.ICSI.Berkeley.EDU (fondue.ICSI.Berkeley.EDU [192.150.186.19]) by ICSI.Berkeley.EDU (8.9.0/8.9.0) with ESMTP id SAA01631; Tue, 24 Oct 2000 18:29:45 -0700 (PDT) Received: from localhost (rizzo@localhost) by fondue.ICSI.Berkeley.EDU (8.8.2/1.8) with ESMTP id SAA17321; Tue, 24 Oct 2000 18:29:44 -0700 (PDT) X-Authentication-Warning: fondue.ICSI.Berkeley.EDU: rizzo owned process doing -bs Date: Tue, 24 Oct 2000 18:29:44 -0700 (PDT) From: Luigi Rizzo To: Kirk Strauser Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Stateful? Non-stateful? I'm lost In-Reply-To: <87u2a1zqn1.fsf@pooh.honeypot> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, > I am using ipfw on a FreeBSD 4.1.1-STABLE box. I have written ... > exactly what they're supposed to do. My questions are: > > 1. What do they do? they basically install a new rule when a packet matches a given template (typically a rule where not all fields are fully specified). The rule has all fields (IPs, ports and protocol type) specified so it only matches that particular session, and expires when the session is over or has been idle for some time. I leave to you the answer to the other questions as it really depend on your needs whether you should use them or not. Typically, dynamic rules allow you to keep your firewall closed by default and open it only from the inside when you transmit a SYN packet, and only for the duration of your session. If you want to protect a server, i am not 100% sure that they are as useful (though they are probably useful). cheers luigi ----------------------------------+----------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . ACIRI/ICSI (on leave from Univ. di Pisa) http://www.iet.unipi.it/~luigi/ . 1947 Center St, Berkeley CA 94704 Phone: (501) 666 2947 ----------------------------------+----------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message