On Apr 21, 2012, at 4:41 AM, Dmitry S. Kasterin wrote:
> The "DYNAMIC RULES" section gives the following recommendation:
> ipfw add check-state
> ipfw add deny tcp from any to any established
> ipfw add allow tcp from my-net to any setup keep-state
>
> Is the second rule
On Sat, 21 Apr 2012 15:41:30 +0400, Dmitry S. Kasterin wrote:
[..]
> 9.0-STABLE / custom kernel
>
> > Also, if
> > you choose to use stateful TCP filtering, it is probably best to do it
> > in the manner shown in the ipfw(8) man page under DYNAMIC RULES. This
> > is very different from the w
>> # sysctl net.inet.ip.fw.dyn_fin_lifetime=4
>> net.inet.ip.fw.dyn_fin_lifetime: 1 -> 4
>> # sysctl net.inet.ip.fw.dyn_rst_lifetime=4
>> net.inet.ip.fw.dyn_rst_lifetime: 1 -> 4
> The thing that jumps out is that all of the blocked packets are of FIN
> packets. I am not sure why they are being deni
On Fri, Apr 20, 2012 at 11:55 AM, Dmitry S. Kasterin wrote:
>> Thank you for the "allow tcp from me to any established" rule,
>> I'll give it a try later.
>
> Ok, I've tested this - no oddity/"frozen" connection. As expected.
> This is an excerpt from the ruleset (ipfw show):
>
> 00101 4759 258
> Thank you for the "allow tcp from me to any established" rule,
> I'll give it a try later.
Ok, I've tested this - no oddity/"frozen" connection. As expected.
This is an excerpt from the ruleset (ipfw show):
00101 4759 2588637 allow tcp from any to any established
00102 20612360 allow t
Kevin, Michael, hi
> a real problem with IPFW.
Well, someone who can confirm or disprove my guesswork is much desirable )
> But I do have to ask why you find statefull rules for outgoing TCP
> connections desirable? Why not:
> 00101 allow tcp from me to any established
> It appears to do the sa
On Tue, Apr 17, 2012 at 12:58 PM, Michael Sierchio wrote:
> On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman wrote:
>>
>>
>> But I do have to ask why you find statefull rules for outgoing TCP
>> connections desirable? Why not:
>> 00101 allow tcp from me to any established
>>
> It's useful and appr
On Tue, Apr 17, 2012 at 12:48 PM, Kevin Oberman wrote:
>
> But I do have to ask why you find statefull rules for outgoing TCP
> connections desirable? Why not:
> 00101 allow tcp from me to any established
>
> It's useful and appropriate to have outbound connections be stateful.
It's not a good i
On Tue, Apr 17, 2012 at 4:05 AM, Dmitry S. Kasterin wrote:
> (Cross-posting this to net@ since there was no reply on ipfw@.)
>
> Hello!
>
> I have rather simple ipfw ruleset like this:
>
> 1 allow all from any to any via lo0
>
> 00010 check-state
> 00101 allow tcp from me to any out setup keep
(Cross-posting this to net@ since there was no reply on ipfw@.)
Hello!
I have rather simple ipfw ruleset like this:
1 allow all from any to any via lo0
00010 check-state
00101 allow tcp from me to any out setup keep-state
65533 deny log ip from any to any
65534 deny ip6 from any to any
Ac
10 matches
Mail list logo
