From owner-freebsd-questions@FreeBSD.ORG Thu Apr 2 07:32:08 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E316D1065670 for ; Thu, 2 Apr 2009 07:32:08 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from EXFESMQ01.datapipe-corp.net (exfesmq01.datapipe-corp.net [64.106.130.69]) by mx1.freebsd.org (Postfix) with ESMTP id AA6D88FC13 for ; Thu, 2 Apr 2009 07:32:08 +0000 (UTC) (envelope-from pprocacci@datapipe.com) Received: from [10.5.21.2] (192.168.128.24) by EXFESMQ01.datapipe-corp.net (64.106.130.71) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 2 Apr 2009 03:31:00 -0400 Message-ID: <49D469A1.3060103@datapipe.net> Date: Thu, 2 Apr 2009 02:30:41 -0500 From: Paul A Procacci User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Victor Sudakov , References: <20090402055113.GA35989@admin.sibptus.tomsk.ru> In-Reply-To: <20090402055113.GA35989@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: keep-state and divert X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 07:32:09 -0000 Victor Sudakov wrote: > Colleagues, > > I have read some recommendations on combining a stateful firewall with di= vert, > e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078= .html > and http://nuclight.livejournal.com/124348.html (the latter is in Russian= ). > > Do I understand correctly that it is (mathematically?) impossible to > use the two together without also using "skipto"? > > If we consider a simple example below, how would you replace the 600th > rule for a stateful one? > > 00100 divert 8668 ip from any to table(1) out via rl0 > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 > 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 > 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 > > 00500 divert 8668 ip from table(1) to any in via rl0 > 00600 allow ip from table(1) to any in via rl0 > 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 > 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 > 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 > > 65535 allow ip from any to any > > Thank you in advance for any input. > > Hopefully you don't mind a response which provides a fully functioning firewall ruleset. It's by no means complete, but should give you the answer to your question. http://procacci.me/ipfw.conf This message may contain confidential or privileged information. If you ar= e not the intended recipient, please advise us immediately and delete this = message. See http://www.datapipe.com/emaildisclaimer.aspx for further info= rmation on confidentiality and the risks of non-secure electronic communica= tion. If you cannot access these links, please notify us by reply message a= nd we will send the contents to you.