[RFC][patch] Two new actions: state-allow and state-deny
Ian Smith
smithi at nimnet.asn.au
Tue Feb 3 12:32:06 UTC 2015
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
> On 03.02.2015 13:04, Ian Smith wrote:
>
> >> Now to make stateful firewall with NAT you need to make some not
> >> very "readable" tricks to record state ("allow") of outbound
> >> connection before NAT, but pass packet to NAT after that. I know
> >> two:
> >>
> >> (a) skipto-nat-allow pattern from many HOWOTOs
> >
> > Lev, can you provide references for these HOWTOs you refer to?
> >
> > I have a suspicion that some of them should be taken out and shot.
>
> google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not
> real HOWTOs, but blog posts & alike.
As I suspected, most of them either are or refer to or are based on the
handbook IPFW page, which I believe has caused more damage to the cause
of IPFW adoption and usage than anything else. ipfw(8) is your friend,
and pretty much your only friend in this regard.
Of those, https://nileshgr.com/2014/12/07/freebsd-ipfw-nat-jails isn't
bad. Many of the others are up to 10 years old and not much help.
http://www.pl.freebsd.org/doc/handbook/firewalls-ipfw.html is an earlier
version of https://www.freebsd.org/doc/handbook/firewalls-ipfw.html
which has undergone significant improvement lately (compare), but still
contains factual errors in the rulesets and very muddle-headed ideas
regarding syslog and other things, IMHO.
I'd best say no more on this topic; you can't discombobulate confusion.
Cheers, Ian out
> BTW, without new mechanism it is really hard to do such firewall, as
> we need action (nat) after "allow keep-state". It could be done with
> this ugly skip-to or with "allow keep-state" in INCOMING section of
> firewall, what is not much better, as I prefer to decide let packet
> out or not in OUTCOMING part of firewall and with "allow keep-state"
> in incoming path it flood state table with unused states.
>
> Another problem, that "keep-state" acts as "check-state" too, so you
> could not have ANOTHER "keep-state" before NAT in outgoing part or you
> miss nat completely (sate is created in outgoing path, and then
> checked before nat in outgoing path with "keep-state", grrrrr, ugly!).
>
>
> - --
> // Lev Serebryakov AKA Black Lion
More information about the freebsd-net
mailing list