From owner-freebsd-questions@FreeBSD.ORG Thu Apr 2 06:51:17 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 071A5106566B for ; Thu, 2 Apr 2009 06:51:17 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.freebsd.org (Postfix) with ESMTP id 4A6288FC12 for ; Thu, 2 Apr 2009 06:51:16 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) X-Virus-Scanned: by clamd daemon 0.93.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPSA id 12228496 for freebsd-questions@freebsd.org; Thu, 02 Apr 2009 12:51:13 +0700 Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.13.6/8.13.6/Submit) id n325pDl4036390 for freebsd-questions@freebsd.org; Thu, 2 Apr 2009 12:51:13 +0700 (OMSST) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Thu, 2 Apr 2009 12:51:13 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Message-ID: <20090402055113.GA35989@admin.sibptus.tomsk.ru> Mail-Followup-To: Victor Sudakov , freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Organization: AO "Svyaztransneft", SibPTUS Subject: keep-state and divert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 06:51:17 -0000 Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using "skipto"? If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any Thank you in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru