stateful firewall

JJB Barbish3 at adelphia.net
Thu Feb 26 05:57:06 PST 2004 

You have run into the IPFW legacy divert/nated subroutine bug. IPFW
stateful rules and divert/nate do not work together. IPFW stateful
rules only work in non-NATed environment. You need to use
IPFILTER/IPNAT the other firewall software application which is
built into FBSD. The FBSD handbook does not even tell you that FBSD
has more than one firewall. Smart move to want an stateful firewall
they provide the max in protection.

see, http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1

http://coombs.anu.edu.au/~avalon/ip-filter.html

To see the FAQ  http://www.phildev.net/ipf/index.html

I use ipfilter and do exactly what you want. IF you want copy of my
rules let me know.





As of July 2003 the OpenBSD firewall software application named PF
was ported to FBSD. It's scheduled to become the third firewall
software application delivered with the FBSD install with the next
stable production release.
You can find it in the FBSD ports collection here

http://www.freebsd.org/cgi/ports.cgi?query=pf&stype=all&release=4.9-
STABLE%2Fi386

More Info can be found here
http://pf4freebsd.love2party.net/index.html


-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mihai Marie
Sent: Thursday, February 26, 2004 3:12 AM
To: freebsd-questions at freebsd.org
Subject: stateful firewall

Hello,

I want to setup a firewall (on my LAN's gateway) so that the only
traffic that pass through is the one initiated from my local network
(we
have public IP's).

My firewall looks like this

ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from $my_lan to any setup keep-state

The problems appear when I want to make some ftp traffic with a
server
that is outside (or any other traffic that tries to open a new
separated
connection in relation with the one initiated from our LAN).

With iptables (in redhat) you can do:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

but I don't know how can I do something like this using ipfw or
another
firewall on FreeBSD.

Any help would be appreciated,

Mihai Marie

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list