IPFW: Is keep/check-state inherent?
Christopher Cowart
ccowart at rescomp.berkeley.edu
Fri Aug 29 18:11:34 UTC 2008
Steve Bertrand wrote:
> I can't recall for certain, but not so long ago, I either read or heard
> about IPFW having implicit keep-state and check-state.
>
> Is it true that I can now omit these keywords in my rulesets?
keep-state is not implicit. check-state is not generally necessary,
because dynamic rules are applied at the very first occurrence of a
stateful rule.
I prefer to use keep-state for outbound traffic (something like allow
all from me to any keep-state). For things with inbound connections, I
prefer to not use state (allow tcp from any to me http; allow tcp from
me http to any) in order to prevent remote hosts from using up all the
dynamic rules.
--
Chris Cowart
Network Technical Lead
Network & Infrastructure Services, RSSP-IT
UC Berkeley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080829/2fbd4722/attachment.pgp
More information about the freebsd-questions
mailing list