[RFC][patch] Two new actions: state-allow and state-deny
Julian Elischer
julian at freebsd.org
Wed Feb 4 05:13:13 UTC 2015
On 2/3/15 6:23 PM, Lev Serebryakov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 03.02.2015 13:04, Ian Smith wrote:
>
>>> Now to make stateful firewall with NAT you need to make some not
>>> very "readable" tricks to record state ("allow") of outbound
>>> connection before NAT, but pass packet to NAT after that. I know
>>> two:
>>>
>>> (a) skipto-nat-allow pattern from many HOWOTOs
>> Lev, can you provide references for these HOWTOs you refer to?
>>
>> I have a suspicion that some of them should be taken out and shot.
> google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not
> real HOWTOs, but blog posts & alike.
>
> BTW, without new mechanism it is really hard to do such firewall, as
> we need action (nat) after "allow keep-state". It could be done with
> this ugly skip-to or with "allow keep-state" in INCOMING section of
> firewall, what is not much better, as I prefer to decide let packet
> out or not in OUTCOMING part of firewall and with "allow keep-state"
> in incoming path it flood state table with unused states.
>
> Another problem, that "keep-state" acts as "check-state" too, so you
> could not have ANOTHER "keep-state" before NAT in outgoing part or you
> miss nat completely (sate is created in outgoing path, and then
> checked before nat in outgoing path with "keep-state", grrrrr, ugly!).
yes I think "keep-state" should be deprecated and replaced or
supplemented by 'save_state' that does NOT do an implicit
'check-state'.. I don't know whose idea that was but it's just wrong.
(if the state exists, maybe just replace it..)
>
>
> - --
> // Lev Serebryakov AKA Black Lion
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQJ8BAEBCgBmBQJU0KGqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
> QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePYvYQALeGCF9EuZKP3jLDaRwad+TO
> IhYq5I3xPPqU3eNEdQ6OqdFonVQ4mDB+UipZzspC/U5drf1qo2LkOF8oBNDlVDW4
> 2I+bgYStptIkpSoBOe5AGRYwO3jfec77GvXhR8cMeQZK2Z9NIazn5ZtFkdQyiiDU
> +b7pxBQ0SbbMUT3hubl4H+v93dMGfjnzrFg1aSY4/uYnmilb8plWN1o4BshZVMSz
> z1lrFSaorj4RNYxnpM6f6YtDDYx4TahA7+OILl/BvzmNoztWb5hKNX+1TGLZPcch
> QE19iix+8O75yuVEMim6FxZ7u6sRk+4PpL/WzCLC2PpPxP/AyiFRh4zw7Q34HDNm
> xPe4Nfzt5vDj0/2HYMY0q0UeSfVY/U0iB3TWmV/3HFObaLeibCgHqOFGmtCpHw5/
> EXJX36mpffO1wI6ImPAvQ9C/wE6/JdoL8R3EPrsN3hdNmoVNIrnDuaeAwiQM6Ljm
> 4CHzsqlYYzyjzgyMmmJahaZ3Lrr0IjnVixC3/z46SfpPipaua8Pr+oZozC4WFmnn
> 4IhsXH+XK7fTbKQaZML6o9j6Bm0hs9g6mt+VSWCYWGCHh/V3DzTuH2BECUeC8lsD
> 9pwHv4x4vPbh7d/kBwAl75mOe3etb8nD/+i+x0oqbPn0T73DgdGgYPnIKqElOi4Y
> Ws6uw/Euno3YnSSds5Eb
> =FJZe
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
More information about the freebsd-ipfw
mailing list