Hello All:
> > ipfw add permit any to any established.
>
> The pf counterpart would be
>
> pass from any to any keep state
>
> i.e. leaving out the 'on $if' part makes the rule apply to all
> interfaces, and leaving out the 'out' or 'in' direction makes it apply
> to both directions.
Hummm I'm not sure....the term <established> is (IMHO) used by CISCO
ACL,
and it's mean all IP packet is a response from inside.
For example if I want allow ssh connection from all-internet to my
network I can put
in on nic1 permit tcp from all-internet to ssh-host port ssh
and I just need
out on nic1 permit any to any established
to allow all returning tcp packet macth this rule. Of course on CISCO
it's
first match policy.
And this working for all service :ssh, web etc.... (not ftp of course),
but
only for TCP not UDP.
---
The "established" keyword in Cisco terminology means the TCP ACK bit is
set to 1, indicating the traffic originated from behind the
boundary/firewall/ACL'd interface.
Mike
