Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Apr 2009 02:30:41 -0500
From:      Paul A Procacci <pprocacci@datapipe.net>
To:        Victor Sudakov <vas@mpeks.tomsk.su>, <freebsd-questions@freebsd.org>
Subject:   Re: keep-state and divert
Message-ID:  <49D469A1.3060103@datapipe.net>
In-Reply-To: <20090402055113.GA35989@admin.sibptus.tomsk.ru>
References:  <20090402055113.GA35989@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 

Victor Sudakov wrote:
> Colleagues,
>
> I have read some recommendations on combining a stateful firewall with divert,
> e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
>
> Do I understand correctly that it is (mathematically?) impossible to
> use the two together without also using "skipto"?
>
> If we consider a simple example below, how would you replace the 600th
> rule for a stateful one?
>
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
>
> 00500 divert 8668 ip from table(1) to any in via rl0
> 00600 allow ip from table(1) to any in via rl0
> 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
>
> 65535 allow ip from any to any
>
> Thank you in advance for any input.
>
>

Hopefully you don't mind a response which provides a fully functioning
firewall ruleset.  It's by no means complete, but should give you the
answer to your question.

http://procacci.me/ipfw.conf

This message may contain confidential or privileged information.  If you are not the intended recipient, please advise us immediately and delete this message.  See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49D469A1.3060103>