ipfw query

Paul Civati paul at xciv.org
Tue Jun 19 14:04:56 BST 2001


Richard Smith <rdls at rdls.net> wrote:

> Is there an advantage to using the keep-state/check-state dynamic style
> over the setup/etablished static style of writing ipfw rules?
> Particularly from a security standpoint?

Yes.

'setup/etablished' style filtering usually only looks at the flags
set on TCP connections, so is somewhat limited.

'keep-state/check-state' style filtering maintains a state table
of data 'flows' (for want of a better word), and tracks (based
on src/dst/port, sequence numbers, etc) streams of packets (both
UDP and TCP) and only allows packets back in that are part of a
flow established from (say within) your network to external hosts.

This is sometimes called stateful inspection and more usually
found on a commercial firewall products, eg. Checkpoint Firewall-1.

-Paul-




More information about the Ukfreebsd mailing list