Date: Mon, 5 Aug 2002 11:05:36 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Nick Rogness <nick@rogness.net> Cc: Joe & Fhe Barbish <barbish@a1poweruser.com>, FBIPFW <freebsd-ipfw@FreeBSD.ORG>, archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.ORG, rizzo@icir.org Subject: Re: natd & keep-state Message-ID: <20020805180536.GA63145@blossom.cjclark.org> In-Reply-To: <Pine.BSF.4.21.0208032039350.28420-100000@cody.jharris.com> References: <20020803212854.GA55652@blossom.cjclark.org> <Pine.BSF.4.21.0208032039350.28420-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 03, 2002 at 08:53:10PM -0500, Nick Rogness wrote:
> On Sat, 3 Aug 2002, Crist J. Clark wrote:
>
> [SNIP]
> > Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold
> > the same opinion. Maybe if you proposed some possible way for natd(8)
> > and 'keep-state' rules to work well together someone could do it.
>
> FWIW, you can modify the behavior of "check-state" to "JUMP TO
> RULE NUMBER XXX on stateful match" and solve most of the problems
> associated with natd & stateful inspection. Right now,
> if check-state finds a match it stops...we need it to optionally
> JUMP_TO RULE XXX. Kinda like "skipto" functionality.
>
> I talked to Luigi about this and he didn't understand what I
> meant (which is my fault). But I believe the concept is still
> sound.
Well, I'm not sure I understand exactly what you mean either, but I
would note,
ipfw 1000 add skipto 5000 ip from $src to $dst keep-state
_Does_ work. 'keep-state' rules need not be only 'pass' actions.
I just tested to make sure. I started with the ruleset,
00100 0 0 skipto 2000 tcp from 192.168.64.70 to me keep-state
01000 34 4158 allow ip from any to any
02000 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
And started a TCP connection,
00100 18 3895 skipto 2000 tcp from 192.168.64.70 to me keep-state
01000 54 5362 allow ip from any to any
02000 18 3895 allow ip from any to any
65535 0 0 deny ip from any to any
Then I added some rules to make sure that it was really working, and
after passing some more data over the existing channel,
00090 0 0 check-state
00095 0 0 allow ip from me to 192.168.64.70
00096 0 0 allow ip from 192.168.64.70 to me
00100 141 15076 skipto 2000 tcp from 192.168.64.70 to me keep-state
01000 877 89158 allow ip from any to any
02000 141 15076 allow ip from any to any
65535 0 0 deny ip from any to any
Notice that rules 95 and 96 do not get hit. The 'skipto' is being done
at the 'check-state' rule.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020805180536.GA63145>