keep-state and divert
Victor Sudakov
vas at mpeks.tomsk.su
Thu Apr 2 01:01:06 PDT 2009
Paul A Procacci wrote:
> >
> >I have read some recommendations on combining a stateful firewall with
> >divert,
> >e.g.
> >http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> >and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
> >
> >Do I understand correctly that it is (mathematically?) impossible to
> >use the two together without also using "skipto"?
> >
> >If we consider a simple example below, how would you replace the 600th
> >rule for a stateful one?
> >
> >00100 divert 8668 ip from any to table(1) out via rl0
> >00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> >00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> >00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
> >
> >00500 divert 8668 ip from table(1) to any in via rl0
> >00600 allow ip from table(1) to any in via rl0
> >00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> >00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> >00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
> >
> >65535 allow ip from any to any
> >
> >Thank you in advance for any input.
> >
> >
>
> Hopefully you don't mind a response which provides a fully functioning
> firewall ruleset. It's by no means complete, but should give you the
> answer to your question.
>
> http://procacci.me/ipfw.conf
I have seen a number of such complete rulesets, some of them being
very inventive and tricky.
I see that your example also uses "skipto" with "keep-state". My
question was however if it was possible to do without "skipto".
And a simple example would be most appreciated, not a fully functional
fuleset.
I am also thinking about using "natd -deny_incoming" for keeping state,
instead of "keep-state" rules. Is this feasible?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list