IPFW When use "keep-state" and when to use "setup keep-state"

See ipfw(8):
Code: 
     keep-state
             Upon a match, the firewall will create a dynamic rule, whose
             default behaviour is to match bidirectional traffic between
             source and destination IP/port using the same protocol.  The rule
             has a limited lifetime (controlled by a set of sysctl(8) vari-
             ables), and the lifetime is refreshed every time a matching
             packet is found.
Code: 
     setup   Matches TCP packets that have the SYN bit set but no ACK bit.
             This is the short form of ``tcpflags syn,!ack''.

So, 'setup keep-state' only works for the initial TCP SYN packet and 'keep state' can also keep state for other types of packets (like UDP for example).
 
More safe is this regule: ipfw add 100 allow tcp from me to any 80 setup keep-state
or this: ipfw add 100 allow tcp from me to any 80 out, ipfw add 101 allow tcp from any to me 80 in
 
You must log in or register to reply here.
Back
Top