Date: Tue, 03 Feb 2015 13:23:38 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>, freebsd-net <freebsd-net@freebsd.org> Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny Message-ID: <54D0A1AA.4080402@FreeBSD.org> In-Reply-To: <20150203205715.A38620@sola.nimnet.asn.au> References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 03.02.2015 13:04, Ian Smith wrote:
>> Now to make stateful firewall with NAT you need to make some not
>> very "readable" tricks to record state ("allow") of outbound
>> connection before NAT, but pass packet to NAT after that. I know
>> two:
>>
>> (a) skipto-nat-allow pattern from many HOWOTOs
>
> Lev, can you provide references for these HOWTOs you refer to?
>
> I have a suspicion that some of them should be taken out and shot.
google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not
real HOWTOs, but blog posts & alike.
BTW, without new mechanism it is really hard to do such firewall, as
we need action (nat) after "allow keep-state". It could be done with
this ugly skip-to or with "allow keep-state" in INCOMING section of
firewall, what is not much better, as I prefer to decide let packet
out or not in OUTCOMING part of firewall and with "allow keep-state"
in incoming path it flood state table with unused states.
Another problem, that "keep-state" acts as "check-state" too, so you
could not have ANOTHER "keep-state" before NAT in outgoing part or you
miss nat completely (sate is created in outgoing path, and then
checked before nat in outgoing path with "keep-state", grrrrr, ugly!).
- --
// Lev Serebryakov AKA Black Lion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJU0KGqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePYvYQALeGCF9EuZKP3jLDaRwad+TO
IhYq5I3xPPqU3eNEdQ6OqdFonVQ4mDB+UipZzspC/U5drf1qo2LkOF8oBNDlVDW4
2I+bgYStptIkpSoBOe5AGRYwO3jfec77GvXhR8cMeQZK2Z9NIazn5ZtFkdQyiiDU
+b7pxBQ0SbbMUT3hubl4H+v93dMGfjnzrFg1aSY4/uYnmilb8plWN1o4BshZVMSz
z1lrFSaorj4RNYxnpM6f6YtDDYx4TahA7+OILl/BvzmNoztWb5hKNX+1TGLZPcch
QE19iix+8O75yuVEMim6FxZ7u6sRk+4PpL/WzCLC2PpPxP/AyiFRh4zw7Q34HDNm
xPe4Nfzt5vDj0/2HYMY0q0UeSfVY/U0iB3TWmV/3HFObaLeibCgHqOFGmtCpHw5/
EXJX36mpffO1wI6ImPAvQ9C/wE6/JdoL8R3EPrsN3hdNmoVNIrnDuaeAwiQM6Ljm
4CHzsqlYYzyjzgyMmmJahaZ3Lrr0IjnVixC3/z46SfpPipaua8Pr+oZozC4WFmnn
4IhsXH+XK7fTbKQaZML6o9j6Bm0hs9g6mt+VSWCYWGCHh/V3DzTuH2BECUeC8lsD
9pwHv4x4vPbh7d/kBwAl75mOe3etb8nD/+i+x0oqbPn0T73DgdGgYPnIKqElOi4Y
Ws6uw/Euno3YnSSds5Eb
=FJZe
-----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54D0A1AA.4080402>