From owner-freebsd-ipfw Sun Apr 15 19:58:18 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from kanga.honeypot.net (kanga.honeypot.net [216.224.193.50]) by hub.freebsd.org (Postfix) with ESMTP id 9B0E237B440 for ; Sun, 15 Apr 2001 19:58:14 -0700 (PDT) (envelope-from kirk@honeypot.net) Received: from pooh.honeypot (mail@pooh.honeypot [10.0.1.2]) by kanga.honeypot.net (8.11.3/8.11.3) with ESMTP id f3G2w3f05551 for ; Sun, 15 Apr 2001 21:58:03 -0500 (CDT) (envelope-from kirk@honeypot.net) Received: from kirk by pooh.honeypot with local (Exim 3.12 #1 (Debian)) id 14ozDH-0000Nc-00 for ; Sun, 15 Apr 2001 21:58:03 -0500 To: freebsd-ipfw@freebsd.org Subject: keep-state issues From: Kirk Strauser Date: 15 Apr 2001 21:57:51 -0500 Message-ID: <87ae5hpn4g.fsf@pooh.honeypot> Lines: 48 X-Mailer: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG My FreeBSD 4.3-RC#1 server acts as a gateway for a few LANs (which need to be firewalled from each other) to the Internet, and has a few actual services running on it (like Sendmail, Squid, etc). I have defined my firewall ruleset as a group of m4 macros. For example, these rules control TCP behavior: define(`tcp_incoming', `add $1 allow tcp from $2 to $3 $4 setup in recv $5 keep-state') define(`tcp_outgoing', `add $1 allow tcp from $2 to $3 $4 setup out xmit $5 keep-state') define(`tcp_passthrough', `add $1 allow tcp from $2 to $3 $4 setup out recv $5 xmit $6 keep-state') I'll use the following definitions for my examples: ADDR_SERVER : The IP of this server ADDR_LAN : The netblock of the main LAN INT_WAN : The interface directly connected to the Internet INT_LAN : The interface connected to the main LAN These rules are used like: tcp_incoming(1000, ADDR_LAN, ADDR_SERVER, 3128, INT_LAN) tcp_outgoing(1010, ADDR_SERVER, any, http, INT_WAN) tcp_passthrough(1020, ADDR_LAN, any, ssh, INT_LAN, INT_WAN) which expand to: add 500 check-state ... add 1000 allow tcp from ADDR_LAN to ADDR_SERVER 3128 setup \ in recv INT_LAN keep-state add 1010 allow tcp from ADDR_SERVER to any http setup \ out xmit INT_WAN keep-state add 1020 allow tcp from ADDR_LAN to any ssh setup out recv INT_LAN \ xmit INT_WAN keep-state The tcp_incoming and tcp_outgoing rules work exactly as expected. However, the tcp_passthrough rule has me flummoxed. It seems as though I have a choice of either specifying both recv and xmit interfaces *or* using keep-state. Is this correct? Am I just being nearsighted and missing something obvious? If I am correct, can anyone recommend a replacement set of rules that would emulate what I'm trying to acheive with tcp_passthrough? Thanks, -- Kirk Strauser To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message