JJB wrote:
First indication is the hit count on the check-state rule. It's zero
which means there is never an match in the keep-state table. For all
practical purposes your firewall keep-state rules are useless.
I was suspicious of that too, but if I remove the keep-state option from
the allow rules, I get no return traffic. Replies from websites never
make it back. So I assumed that the state was being recorded and used
correctly.
Just with in the last few days an complete working example of ipfw +
natd + stateful rules was posted here for the archives
Search the questions archives for your answer.
Yes, I have been referring to that posting, but I'm struggling to see
what (fundamentally) the poster has put in his ruleset that I have not.
He has denied several IP addresses that should never send packets, and
he has allowed some specific outbound traffic types, but it basically
seems to be doing the same. Hence my desire to understand what I am
clearly missing.
--
Bob
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
