stateful firewall
JJB
Barbish3 at adelphia.net
Thu Feb 26 05:57:06 PST 2004
You have run into the IPFW legacy divert/nated subroutine bug. IPFW
stateful rules and divert/nate do not work together. IPFW stateful
rules only work in non-NATed environment. You need to use
IPFILTER/IPNAT the other firewall software application which is
built into FBSD. The FBSD handbook does not even tell you that FBSD
has more than one firewall. Smart move to want an stateful firewall
they provide the max in protection.
see, http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1
http://coombs.anu.edu.au/~avalon/ip-filter.html
To see the FAQ http://www.phildev.net/ipf/index.html
I use ipfilter and do exactly what you want. IF you want copy of my
rules let me know.
As of July 2003 the OpenBSD firewall software application named PF
was ported to FBSD. It's scheduled to become the third firewall
software application delivered with the FBSD install with the next
stable production release.
You can find it in the FBSD ports collection here
http://www.freebsd.org/cgi/ports.cgi?query=pf&stype=all&release=4.9-
STABLE%2Fi386
More Info can be found here
http://pf4freebsd.love2party.net/index.html
-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mihai Marie
Sent: Thursday, February 26, 2004 3:12 AM
To: freebsd-questions at freebsd.org
Subject: stateful firewall
Hello,
I want to setup a firewall (on my LAN's gateway) so that the only
traffic that pass through is the one initiated from my local network
(we
have public IP's).
My firewall looks like this
ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from $my_lan to any setup keep-state
The problems appear when I want to make some ftp traffic with a
server
that is outside (or any other traffic that tries to open a new
separated
connection in relation with the one initiated from our LAN).
With iptables (in redhat) you can do:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
but I don't know how can I do something like this using ipfw or
another
firewall on FreeBSD.
Any help would be appreciated,
Mihai Marie
_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list