[RFC][patch] New "keep-state-only" option
Julian Elischer
julian at freebsd.org
Wed Feb 4 05:33:03 UTC 2015
On 2/4/15 12:13 AM, Lev Serebryakov wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> Ok, "allow-state"/"deny-state" was very limited idea.
> Here is more universal mechanism: new "keep-state-only" (aliased as
> "record-only") option, which works exactly as "keep-state" BUT cancel
> match of rule after state creation. It allows to write stateful + nat
> firewall as easy as:
>
> nat 1 config if outIface
>
> 1000 skipto 2000 in
> skipto 3000 out
> deny all from any to any // Safeguard
> 2000 skipto 4000 recv inIface
> skipto 6000 recv outIface
> deny all from any to any // Safeguard
> 3000 skipto 5000 xmit inIface
> skipto 7000 xmit outIface
> deny all from any to any // Safeguard
> 4000 // For sake of simplicity!
> // Real firewall will have some checks about local network here
> allow all from any to any
> deny all from any to any // Safeguard
> 5000 // For sake of simplicity!
> // Real firewall will have some checks about local network here
> allow all from any to any
> deny all from any to any // Safeguard
> 6000 deny all not dst-ip $EXT_IP
> nat 1 all from any to any
> // All enabled with "keep-state-only" at block 7000 before NAT
> check-state all from any to any
> // Here could be accept rules for our servers or servers in DMZ
> // Disable everything else
> deny all from any to any
> 7000 // Here goes rules which could DISABLE outbound external traffic
> // Create state for "check-state" at block 6000 and fallthrough
> allow keep-state-only
> allow src-ip $EXT_IP // Save NAT some work
> nat 1 all from any to any
> allow all from any to any
> deny all from any to any // Safeguard
>
> And variants with multiple NATs and "nat global" becomes as easy as
> this, too! No stupid "skipto", no "keep-state" at "incoming from local
> network" parts of firewall, nothing!
>
> P.S. I HATE this "all any to any" part!
can we get rid of it? (implied).. or just add "everything"
also I am not sure about "keep-state-only"..
how about 'set-state'? or record-state as I started with..
>
> - --
> // Lev Serebryakov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQJ8BAEBCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
> QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePR+gP/1Oxi+h7pi0UlnqfrKyfHJRS
> FUbrMNeR9NATnTwxIK1UxNT1kF3m7wiwnFlgwW7rwLtTviFB1wK/pfd38l2h4t/w
> qUbtyK4PFMCq8I6wAJIB0qUl3C/mN1rwc+LSJJyFM07R52snoQs6FvkIYkCz0fOy
> Cak1f/P+scc21IRhFvYJXMMDO/1Y1nkxZk/HdHbn1GELpTXuHugvL1T9hHl98sqO
> HKlHnvtqAVlyZn9Sv3uC9nsyjFA2sdOCtb67UGnPDV3CIs4Jwj5CSst5jbz13qFG
> aXF8ZSm0coPJMUjH1PSogZM9Xiq23yZ47V0mesBxQsHL24548jM/wKcsR3buDjP7
> NJ2rqo2OBCzTu6VCK2oIY5j9A6vq1mu8+/eBs5jF4C2k0xHiw53Okou7zOCA0gJ+
> z+VGZvD3la/+tFjacty7Ra7LLNA8kNCnRa0QML7LOJ1/99a4l3Z/uGFxy5zYnk7d
> p27Y85CAhTJQjkYZSGAiFD5SE4XxRqtSJ9OL89w7vLxoHqW0rqwi+DVrr9uvXQZS
> 8Z5G5iQARG4ygXuKsl6MlwChCXa3ucbOs41lorrug94cuVCwGg859zBZY3dpQsKz
> XIhtVQS21wPLxXywzIc678ar4uKVWNiaRWg+k57O7375gAszvqujRuTEcfHRf/T+
> gHJJZt8Tc+en4bw8XItY
> =wOAJ
> -----END PGP SIGNATURE-----
More information about the freebsd-net
mailing list