IPFW Stateful behaviour (fwd)
Prokofiev S.P.
proks at logos.uptel.net
Thu Apr 19 13:17:25 UTC 2007
Forwarding to freebsd-ipfw to get a especial ipfw audience.
Hi ALL!
The PF has useful state-policy option: if-bound, group-bound, floating.
I have found out IPFW stateful rules do not become attached to the interface
and behave as PF stateful rules in floating mode.
For example, I build stateful rules (29991,31991) on two interfaces for two
different networks. I send a packet "pkt" from a network net_staff1 to a
network net_staff2. It creates stateful rule on enter if1, then it gets access
to the net_staff2 on output from the if2 by a keep-state 31991 rule. Deny rule
31995 does not work.
Has solved this problem by tag and skipto (29990,31990), but it is not
absolutely beautiful and useless.
Whether other decisions are possible?
+-----------------+
| if1 O----net_staff1
| |-----<----pkt
----INET---O if0 |
| |----->---->
| if2 O----net_staff2
+-----------------+
ipfw add skipto 29000 ip from any to any via $if1 // 4 bypass another iface
ipfw add skipto 31000 ip from any to any via $if2 // 4 bypass another iface
############## IF1 29000
N_DA=29995
ipfw add 29990 skipto $N_DA log ip from any to any via $if1 tagged 65534 //
bypass another stateful
ipfw add 29991 allow tag 65534 log ip from $net_staff1 to any via $if1 in
keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff1 via $if1 out
ipfw add 29999 skipto 65000 ip from any to any via $if1
############## IF2 31000
N_DA=31995
ipfw add 31990 skipto $N_DA log ip from any to any via $if2 tagged 65534 //
bypass another stateful
ipfw add 31991 allow tag 65534 log ip from $net_staff2 to any via $if2 in
keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff2 via $if2 out
ipfw add 31999 skipto 65000 ip from any to any via $if2
PS: I would like to propose make an opportunity to change behaviour ipfw
stateful rules like it is made in pf.
Sorry for my English.
More information about the freebsd-ipfw
mailing list