From owner-freebsd-stable Thu Mar 22 12: 7:25 2001 Delivered-To: freebsd-stable@freebsd.org Received: from sdmail0.sd.bmarts.com (sdmail0.sd.bmarts.com [209.247.77.155]) by hub.freebsd.org (Postfix) with ESMTP id 8788C37B71F for ; Thu, 22 Mar 2001 12:07:19 -0800 (PST) (envelope-from gordont@bluemtn.net) Received: from localhost (gordont@localhost) by sdmail0.sd.bmarts.com (8.11.3/8.11.2/BMA1.1) with ESMTP id f2MK6pA93819; Thu, 22 Mar 2001 12:06:51 -0800 (PST) Date: Thu, 22 Mar 2001 12:06:50 -0800 (PST) From: Gordon Tetlow X-X-Sender: To: Andre Goeree Cc: Subject: Re: ipfw stateful filtering In-Reply-To: <20010322164215.A20386@mandark.attica.home> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have the same thing.... If you read the ipfw man page, it actually tells you that you don't need a check-state rule as the first keep-state rule implies check-state. I imagine the counters go elsewhere but I'm not sure. If I get the time, I'll look at the code. -gordon On Thu, 22 Mar 2001, Andre Goeree wrote: > I'm experimenting a little with stateful filtering. > Somehow it doesn't work like i expect; output of "ipfw show": > > 00100 0 0 check-state > 00200 2874 690508 allow ip from any to any via lo0 > [snip address checking rules] > 02100 0 0 deny tcp from any to any via tun* established > 02200 890 308516 allow tcp from any 4000-5000 to any keep-state out xmit tun* setup > [snip local network rules] > ## Dynamic rules: > 02200 889 308472 (T 0, # 176) ty 0 tcp, XXX.XXX.XXX.XXX 4025 <-> XXX.XXX.XXX.XXX 110 > > It appears that the check-state rule never matches.. > Am i overlooking something? > > --Andre. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message