On Thu, 30 Sep 2004 22:32:16 +1000, Steven Adams <[EMAIL PROTECTED]> wrote: > When I add > > $fwcmd add allow ip from any to any established > > The messages go away, but when I remove it they come back, I ran a tcpdump > it seems most of the packet just have ACK set?
If this works for you then the keep-state is definitely not working for you. Because when a SYN comes in, the state is saved in the firewall dynamic states so that subsequent ACKs corresponding to that SYN gets through without any problem. <snip> >=========================================================== > oif=bge0 > fwcmd=ipfw > > $fwcmd -f flush > > $fwcmd add check-state > > $fwcmd add allow ip from any to any via lo0 > $fwcmd add deny ip from any to 127.0.0.0/8 > > $fwcmd add deny all from any to any frag in via $oif > > $fwcmd add allow tcp from any to me > 21,25,26,53,110,143,443,465,953,993,995,2082,2083,2086,2087,2089,2095,2096,2 > 627,6666,40000-49452 > in via $oif keep-state setup > $fwcmd add allow tcp from any to me 80 setup keep-state > $fwcmd add allow udp from me 53 to any keep-state > $fwcmd add allow udp from any to any 53 keep-state > > $fwcmd add allow all from me to any out via $oif setup keep-state > > $fwcmd add deny all from any to any 137,138,139,67,68 in > > $fwcmd add deny log all from me to any 22 > $fwcmd add deny log all from any to any change this to $fwcmd add deny log all from any to any in xmit $oif BTW, any good reason not to trust your internal network from sending data through the firewall? <snip> Regards S. -- Subhro Sankha Kar School of Information Technology Block AQ-13/1 Sector V ZIP 700091 India _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
