Date: Thu, 22 Mar 2001 12:06:50 -0800 (PST) From: Gordon Tetlow <gordont@bluemtn.net> To: Andre Goeree <abgoeree@uwnet.nl> Cc: <stable@FreeBSD.ORG> Subject: Re: ipfw stateful filtering Message-ID: <Pine.BSF.4.33.0103221205460.87344-100000@sdmail0.sd.bmarts.com> In-Reply-To: <20010322164215.A20386@mandark.attica.home>
next in thread | previous in thread | raw e-mail | index | archive | help
I have the same thing.... If you read the ipfw man page, it actually tells you that you don't need a check-state rule as the first keep-state rule implies check-state. I imagine the counters go elsewhere but I'm not sure. If I get the time, I'll look at the code. -gordon On Thu, 22 Mar 2001, Andre Goeree wrote: > I'm experimenting a little with stateful filtering. > Somehow it doesn't work like i expect; output of "ipfw show": > > 00100 0 0 check-state > 00200 2874 690508 allow ip from any to any via lo0 > [snip address checking rules] > 02100 0 0 deny tcp from any to any via tun* established > 02200 890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup > [snip local network rules] > ## Dynamic rules: > 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110 > > It appears that the check-state rule never matches.. > Am i overlooking something? > > --Andre. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0103221205460.87344-100000>