Date: Mon, 20 Sep 2004 06:21:42 -0000 From: Thomas Wolf <tw@wsf.at> To: "J.T. Davies" <jtd@hostthecoast.org>, freebsd-ipfw@freebsd.org Subject: Re: Dynamic rules & stats Message-ID: <20040920082142.eeekl07rke80s4@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help
"J.T. Davies" <jtd@hostthecoast.org> schrieb: > Please someone smack me around and correct me if I'm mistaken. > > I'm using 5.1 Release p13 > > I've got IPFW2 enabled. Stateless & stateful rules are working correctly. > I'm trying to incorporate/"upgrade" to dynamic rulesets, but I'm confused. > > I've got the following rules: > > 1000 check-state > 2000 allow tcp from any 1024-65535 to mysvrIP 25,110 in via outsideinterface > setup keep-state > > > Now, when I check mail from an outside client (mail transfer is successful), > and then I do IPFW SHOW, the traffic counters for rule 2000 are ever > increasing, but 1000 stays at 0. Every mail transfer (whether POP3 or SMTP) > increments 2000, but never 1000. > > Is this correct? I *thought* that this should work somewhat like the > "setup" and the "established" methods of a stateful firewall configuration. No need to worry. For dynamic rules, it's always the parent rule (which 'created' the dynamic one) where the counters are incremented (in your setup 2000) > If I remark rule 1000...traffic still passes through. "If no check-state rule is found, the dynamic ruleset is checked at the first keep-state or limit rule." (man ipfw) Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040920082142.eeekl07rke80s4>