From owner-freebsd-questions@FreeBSD.ORG  Sat Jan 10 09:55:10 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C0C0D9E3
 for <freebsd-questions@freebsd.org>; Sat, 10 Jan 2015 09:55:10 +0000 (UTC)
Received: from relay2.tomsk.ru (mail.sibptus.tomsk.ru [212.73.124.5])
 by mx1.freebsd.org (Postfix) with ESMTP id 2EEA1DFD
 for <freebsd-questions@freebsd.org>; Sat, 10 Jan 2015 09:55:09 +0000 (UTC)
X-Virus-Scanned: by clamd daemon 0.98.1 for FreeBSD at relay2.tomsk.ru
Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru
 [212.73.125.240] verified)
 by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.16)
 with ESMTPSA id 37833303 for freebsd-questions@freebsd.org;
 Sat, 10 Jan 2015 15:55:05 +0600
Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1])
 by admin.sibptus.tomsk.ru (8.14.9/8.14.7) with ESMTP id t0A9t2Bc071707
 for <freebsd-questions@freebsd.org>; Sat, 10 Jan 2015 15:55:05 +0600 (NOVT)
 (envelope-from vas@mpeks.tomsk.su)
Received: (from sudakov@localhost)
 by admin.sibptus.tomsk.ru (8.14.9/8.14.7/Submit) id t0A9t2ke071706
 for freebsd-questions@freebsd.org; Sat, 10 Jan 2015 15:55:02 +0600 (NOVT)
 (envelope-from vas@mpeks.tomsk.su)
X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to
 vas@mpeks.tomsk.su using -f
Date: Sat, 10 Jan 2015 15:55:02 +0600
From: Victor Sudakov <vas@mpeks.tomsk.su>
To: freebsd-questions@freebsd.org
Subject: A superficially simple stateful ipfw configuration?
Message-ID: <20150110095502.GA71577@admin.sibptus.tomsk.ru>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Organization: OAO "Svyaztransneft", SibPTUS
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jan 2015 09:55:10 -0000

Colleagues,

Has anyone been able to emulate the logic of Cisco PIX with ipfw?

Like, there are 3 interfaces: Inside, Outside and DMZ. You assign
security levels to the interfaces (Outside=0, DMZ=50, Inside=100) and
the traffic can be initiated only from the more secure interface to
the less secure one and not vice versa. The check-state traffic can
also return from the less secure interface to the more secure one.

It sounds simple but I have difficulties implementing the logic
with ipfw.  Any recipes/macros please?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru