Date: Wed, 04 Feb 2015 13:32:52 +0800 From: Julian Elischer <julian@freebsd.org> To: lev@FreeBSD.org, freebsd-ipfw <freebsd-ipfw@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Cc: melifaro@FreeBSD.org Subject: Re: [RFC][patch] New "keep-state-only" option Message-ID: <54D1AF04.8050106@freebsd.org> In-Reply-To: <54D0F39B.4070707@FreeBSD.org> References: <54D0F39B.4070707@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/4/15 12:13 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Ok, "allow-state"/"deny-state" was very limited idea. > Here is more universal mechanism: new "keep-state-only" (aliased as > "record-only") option, which works exactly as "keep-state" BUT cancel > match of rule after state creation. It allows to write stateful + nat > firewall as easy as: > > nat 1 config if outIface > > 1000 skipto 2000 in > skipto 3000 out > deny all from any to any // Safeguard > 2000 skipto 4000 recv inIface > skipto 6000 recv outIface > deny all from any to any // Safeguard > 3000 skipto 5000 xmit inIface > skipto 7000 xmit outIface > deny all from any to any // Safeguard > 4000 // For sake of simplicity! > // Real firewall will have some checks about local network here > allow all from any to any > deny all from any to any // Safeguard > 5000 // For sake of simplicity! > // Real firewall will have some checks about local network here > allow all from any to any > deny all from any to any // Safeguard > 6000 deny all not dst-ip $EXT_IP > nat 1 all from any to any > // All enabled with "keep-state-only" at block 7000 before NAT > check-state all from any to any > // Here could be accept rules for our servers or servers in DMZ > // Disable everything else > deny all from any to any > 7000 // Here goes rules which could DISABLE outbound external traffic > // Create state for "check-state" at block 6000 and fallthrough > allow keep-state-only > allow src-ip $EXT_IP // Save NAT some work > nat 1 all from any to any > allow all from any to any > deny all from any to any // Safeguard > > And variants with multiple NATs and "nat global" becomes as easy as > this, too! No stupid "skipto", no "keep-state" at "incoming from local > network" parts of firewall, nothing! > > P.S. I HATE this "all any to any" part! can we get rid of it? (implied).. or just add "everything" also I am not sure about "keep-state-only".. how about 'set-state'? or record-state as I started with.. > > - -- > // Lev Serebryakov > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQJ8BAEBCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF > QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePR+gP/1Oxi+h7pi0UlnqfrKyfHJRS > FUbrMNeR9NATnTwxIK1UxNT1kF3m7wiwnFlgwW7rwLtTviFB1wK/pfd38l2h4t/w > qUbtyK4PFMCq8I6wAJIB0qUl3C/mN1rwc+LSJJyFM07R52snoQs6FvkIYkCz0fOy > Cak1f/P+scc21IRhFvYJXMMDO/1Y1nkxZk/HdHbn1GELpTXuHugvL1T9hHl98sqO > HKlHnvtqAVlyZn9Sv3uC9nsyjFA2sdOCtb67UGnPDV3CIs4Jwj5CSst5jbz13qFG > aXF8ZSm0coPJMUjH1PSogZM9Xiq23yZ47V0mesBxQsHL24548jM/wKcsR3buDjP7 > NJ2rqo2OBCzTu6VCK2oIY5j9A6vq1mu8+/eBs5jF4C2k0xHiw53Okou7zOCA0gJ+ > z+VGZvD3la/+tFjacty7Ra7LLNA8kNCnRa0QML7LOJ1/99a4l3Z/uGFxy5zYnk7d > p27Y85CAhTJQjkYZSGAiFD5SE4XxRqtSJ9OL89w7vLxoHqW0rqwi+DVrr9uvXQZS > 8Z5G5iQARG4ygXuKsl6MlwChCXa3ucbOs41lorrug94cuVCwGg859zBZY3dpQsKz > XIhtVQS21wPLxXywzIc678ar4uKVWNiaRWg+k57O7375gAszvqujRuTEcfHRf/T+ > gHJJZt8Tc+en4bw8XItY > =wOAJ > -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D1AF04.8050106>