Skip site navigation (1)Skip section navigation (2) 
Date:      15 Apr 2001 21:57:51 -0500
From:      Kirk Strauser <kirk@strauser.com>
To:        freebsd-ipfw@freebsd.org
Subject:   keep-state issues
Message-ID:  <87ae5hpn4g.fsf@pooh.honeypot>
next in thread | raw e-mail | index | archive | help 
My FreeBSD 4.3-RC#1 server acts as a gateway for a few LANs (which need to
be firewalled from each other) to the Internet, and has a few actual
services running on it (like Sendmail, Squid, etc).

I have defined my firewall ruleset as a group of m4 macros.  For example,
these rules control TCP behavior:

define(`tcp_incoming',
     `add $1 allow tcp from $2 to $3 $4 setup in recv $5 keep-state')
define(`tcp_outgoing',
     `add $1 allow tcp from $2 to $3 $4 setup out xmit $5 keep-state')
define(`tcp_passthrough',
     `add $1 allow tcp from $2 to $3 $4 setup out recv $5 xmit $6 keep-state')

I'll use the following definitions for my examples:

  ADDR_SERVER :  The IP of this server
  ADDR_LAN    :  The netblock of the main LAN
  INT_WAN     :  The interface directly connected to the Internet
  INT_LAN     :  The interface connected to the main LAN

These rules are used like:

tcp_incoming(1000, ADDR_LAN, ADDR_SERVER, 3128, INT_LAN)
tcp_outgoing(1010, ADDR_SERVER, any, http, INT_WAN)
tcp_passthrough(1020, ADDR_LAN, any, ssh, INT_LAN, INT_WAN)

which expand to:

add 500 check-state
 ...
add 1000 allow tcp from ADDR_LAN to ADDR_SERVER 3128 setup \
     in recv INT_LAN keep-state
add 1010 allow tcp from ADDR_SERVER to any http setup \
     out xmit INT_WAN keep-state
add 1020 allow tcp from ADDR_LAN to any ssh setup out recv INT_LAN \
     xmit INT_WAN keep-state

The tcp_incoming and tcp_outgoing rules work exactly as expected.  However,
the tcp_passthrough rule has me flummoxed.  It seems as though I have a
choice of either specifying both recv and xmit interfaces *or* using
keep-state.  Is this correct?  Am I just being nearsighted and missing
something obvious?  If I am correct, can anyone recommend a replacement set
of rules that would emulate what I'm trying to acheive with tcp_passthrough?

Thanks,
-- 
Kirk Strauser

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87ae5hpn4g.fsf>