From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 05:33:02 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEC8ED1A; Wed, 4 Feb 2015 05:33:02 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 88187B43; Wed, 4 Feb 2015 05:33:02 +0000 (UTC) Received: from Julian-MBP3.local (ppp121-45-238-204.lns20.per1.internode.on.net [121.45.238.204]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t145WvOP041772 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 3 Feb 2015 21:33:00 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <54D1AF04.8050106@freebsd.org> Date: Wed, 04 Feb 2015 13:32:52 +0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: lev@FreeBSD.org, freebsd-ipfw , freebsd-net Subject: Re: [RFC][patch] New "keep-state-only" option References: <54D0F39B.4070707@FreeBSD.org> In-Reply-To: <54D0F39B.4070707@FreeBSD.org> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: 7bit Cc: melifaro@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2015 05:33:03 -0000 On 2/4/15 12:13 AM, Lev Serebryakov wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Ok, "allow-state"/"deny-state" was very limited idea. > Here is more universal mechanism: new "keep-state-only" (aliased as > "record-only") option, which works exactly as "keep-state" BUT cancel > match of rule after state creation. It allows to write stateful + nat > firewall as easy as: > > nat 1 config if outIface > > 1000 skipto 2000 in > skipto 3000 out > deny all from any to any // Safeguard > 2000 skipto 4000 recv inIface > skipto 6000 recv outIface > deny all from any to any // Safeguard > 3000 skipto 5000 xmit inIface > skipto 7000 xmit outIface > deny all from any to any // Safeguard > 4000 // For sake of simplicity! > // Real firewall will have some checks about local network here > allow all from any to any > deny all from any to any // Safeguard > 5000 // For sake of simplicity! > // Real firewall will have some checks about local network here > allow all from any to any > deny all from any to any // Safeguard > 6000 deny all not dst-ip $EXT_IP > nat 1 all from any to any > // All enabled with "keep-state-only" at block 7000 before NAT > check-state all from any to any > // Here could be accept rules for our servers or servers in DMZ > // Disable everything else > deny all from any to any > 7000 // Here goes rules which could DISABLE outbound external traffic > // Create state for "check-state" at block 6000 and fallthrough > allow keep-state-only > allow src-ip $EXT_IP // Save NAT some work > nat 1 all from any to any > allow all from any to any > deny all from any to any // Safeguard > > And variants with multiple NATs and "nat global" becomes as easy as > this, too! No stupid "skipto", no "keep-state" at "incoming from local > network" parts of firewall, nothing! > > P.S. I HATE this "all any to any" part! can we get rid of it? (implied).. or just add "everything" also I am not sure about "keep-state-only".. how about 'set-state'? or record-state as I started with.. > > - -- > // Lev Serebryakov > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > > iQJ8BAEBCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w > ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF > QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePR+gP/1Oxi+h7pi0UlnqfrKyfHJRS > FUbrMNeR9NATnTwxIK1UxNT1kF3m7wiwnFlgwW7rwLtTviFB1wK/pfd38l2h4t/w > qUbtyK4PFMCq8I6wAJIB0qUl3C/mN1rwc+LSJJyFM07R52snoQs6FvkIYkCz0fOy > Cak1f/P+scc21IRhFvYJXMMDO/1Y1nkxZk/HdHbn1GELpTXuHugvL1T9hHl98sqO > HKlHnvtqAVlyZn9Sv3uC9nsyjFA2sdOCtb67UGnPDV3CIs4Jwj5CSst5jbz13qFG > aXF8ZSm0coPJMUjH1PSogZM9Xiq23yZ47V0mesBxQsHL24548jM/wKcsR3buDjP7 > NJ2rqo2OBCzTu6VCK2oIY5j9A6vq1mu8+/eBs5jF4C2k0xHiw53Okou7zOCA0gJ+ > z+VGZvD3la/+tFjacty7Ra7LLNA8kNCnRa0QML7LOJ1/99a4l3Z/uGFxy5zYnk7d > p27Y85CAhTJQjkYZSGAiFD5SE4XxRqtSJ9OL89w7vLxoHqW0rqwi+DVrr9uvXQZS > 8Z5G5iQARG4ygXuKsl6MlwChCXa3ucbOs41lorrug94cuVCwGg859zBZY3dpQsKz > XIhtVQS21wPLxXywzIc678ar4uKVWNiaRWg+k57O7375gAszvqujRuTEcfHRf/T+ > gHJJZt8Tc+en4bw8XItY > =wOAJ > -----END PGP SIGNATURE-----