keep-state and divert

[Victor Sudakov]

Paul A Procacci wrote:
> >
> >I have read some recommendations on combining a stateful firewall with 
> >divert,
> >e.g. 
> >http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> >and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
> >
> >Do I understand correctly that it is (mathematically?) impossible to
> >use the two together without also using "skipto"?
> >
> >If we consider a simple example below, how would you replace the 600th
> >rule for a stateful one?
> >
> >00100 divert 8668 ip from any to table(1) out via rl0
> >00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> >00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> >00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
> >
> >00500 divert 8668 ip from table(1) to any in via rl0
> >00600 allow ip from table(1) to any in via rl0
> >00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> >00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> >00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
> >
> >65535 allow ip from any to any
> >
> >Thank you in advance for any input.
> >
> >
> 
> Hopefully you don't mind a response which provides a fully functioning
> firewall ruleset.  It's by no means complete, but should give you the
> answer to your question.
> 
> http://procacci.me/ipfw.conf

I have seen a number of such complete rulesets, some of them being
very inventive and tricky. 

I see that your example also uses "skipto" with "keep-state".  My
question was however if it was possible to do without "skipto". 

And a simple example would be most appreciated, not a fully functional
fuleset.

I am also thinking about using "natd -deny_incoming" for keeping state,
instead of "keep-state" rules. Is this feasible?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru