Transparent firewall & Dynamic rules
Cypher Wu
cypher.w at gmail.com
Sat Sep 12 13:51:05 UTC 2009
It's seems fine, but I still have some questions:
1. The endpoint will response to the keepalive TCP segment and the
destination will be the other endpoint, will IPFW just let it though
like the usual IP packet, or try to figure it out and drop it?
2. If I have two computer I can make sure both end are not using
keepalive, then I can still figure out there is a firewall between
these two computers?
On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
> On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote:
>> I want to build a transparent firewall based on IPFW. For static rules
>> this is fine, but for dynamic rules, ipfw uses keepalive packet to
>> avoid deleting a dynamic rule that both ends are still alive but don't
>> issue any traffic for a long time. But this means the firewall should
>> have it's own IPs and is not transparent anymore.
>
> keepalives carry the addresses of the two endpoints,
> the firewall is not visible.
>
>
More information about the freebsd-ipfw
mailing list