On Tuesday 18 April 2006 00:42, Chuck Swiger wrote: > David Wolfskill wrote:
> > I thought check-state was fairly optional; ref: > > > > These dynamic rules, which have a limited lifetime, are checked at > > the first occurrence of a check-state, keep-state or limit rule, and are > > typ- ically used to open the firewall on-demand to legitimate traffic > > only. See the STATEFUL FIREWALL and EXAMPLES Sections below for more > > informa- tion on the stateful behaviour of ipfw. > > > > (from "man ipfw" on a 4.11 system). > > Yeah...but a rule like "from any to any 22 out via bge0 setup keep-state" > isn't going to match inbound established traffic, right? But the man page doesn't say *matching* rule, it says: " the first occurrence of a check-state, keep-state or limit rule". It is pretty vague though. The inference I take from this is that check-state mostly exists so you can force an early, fast hash-table lookup. _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
