Re: ipfw newbie question
From: Jens Schweikhardt (usenet_at_schweikhardt.net)
Date: 09/30/03
- Next message: Angus C: "Re: newbie startup script woes"
- Previous message: Warren Block: "Re: Recommendation for External USB Hard Drive"
- In reply to: surfsofa: "ipfw newbie question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 30 Sep 2003 11:40:49 GMT
surfsofa <surfsofa@hotmail.com> wrote
in <blbjgj$a4e5u$1@ID-62754.news.uni-berlin.de>:
# What is the purpose of this rule? :
#
# allow tcp from any to any established
#
# I've seen reference to it in several places but can't figure out what it
# buys me. I'm running a web server btw.
#
# Not frightened of a technical explanation but have been struggling to find
# one.
An "established" TCP connection is one past the initial connection
setup. The difference is the ACK bit in the TCP header, which is only
set for established connections, but not during the initial setup. You
can safely allow any packet belonging to established connections if you
have constrained the connection setup: If you deny smtp from spammer.org
and openrelay.net then you can never have an established connection with
them and all packets carrying an ACK must be OK (because it is
impossible to establish a TCP connection with ACK packets). It's a
performance gain if you allow the established connection in sequenced
deny lists by putting that rule at or near the top.
Regards,
Jens
-- Jens Schweikhardt http://www.schweikhardt.net/ SIGSIG -- signature too long (core dumped)
- Next message: Angus C: "Re: newbie startup script woes"
- Previous message: Warren Block: "Re: Recommendation for External USB Hard Drive"
- In reply to: surfsofa: "ipfw newbie question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
