From owner-freebsd-ipfw@FreeBSD.ORG Wed Feb 4 12:34:15 2015 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E117DBAE; Wed, 4 Feb 2015 12:34:15 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 569E8D3A; Wed, 4 Feb 2015 12:34:14 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t14CYCSm026591; Wed, 4 Feb 2015 23:34:12 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 4 Feb 2015 23:34:12 +1100 (EST) From: Ian Smith To: Julian Elischer Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny In-Reply-To: <54D1FE72.1020508@freebsd.org> Message-ID: <20150204231922.X38620@sola.nimnet.asn.au> References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au> <54D0A1AA.4080402@FreeBSD.org> <54D1AA60.4030907@freebsd.org> <54D1E4D4.10106@FreeBSD.org> <54D1FE72.1020508@freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw@freebsd.org, lev@freebsd.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Feb 2015 12:34:16 -0000 On Wed, 4 Feb 2015 19:121:46 +0000, Julian Elischer wrote: > On 2/4/15 5:22 PM, Lev Serebryakov wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On 04.02.2015 08:13, Julian Elischer wrote: > > > > > yes I think "keep-state" should be deprecated and replaced or > > > supplemented by 'save_state' that does NOT do an implicit > > > 'check-state'.. I don't know whose idea that was but it's just > > > wrong. (if the state exists, maybe just replace it..) > > Update, not replace :) > > See my Version-3 patch for "record-state" :) > I meant a function that acts like 'keep-state' except it does not do a > 'check-state'. > Im suggesting adding yet-another command. a 'fixed' keep-state. > > I sort of know why they did it.. so that if the state for that > session already exists, the original state rule is used and not the > new rule. but ..it fires on other packets as well as the one you are > working with. I don't get this .. we're always working on just one packet at any time, either inbound or outbound (to kernel), so how can check_state (or the check also on keep-state) apply to any other packets than that one? I've seen examples that run keep-state on the same packet both before and after NAT, ie state on both the internal and external addresses, which is even more confusing and surely inefficient too. I'm not sure that everyone realises that it's the first check-state or keep-state rule _encountered_ - ie not skipped around - that matters. A good, definitive tutorial on how to best handle stateful, NAT'd rules would be useful, because there are a few different theories in the wild. Personally I only run stateful on a few types of session, and then always using the internal addresses, but that's just one of the ways .. but doing _everything_ statefully seems to be the Holy Grail to some. cheers, Ian