From owner-freebsd-net@FreeBSD.ORG Tue Feb 3 10:24:26 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0DFF3136; Tue, 3 Feb 2015 10:24:26 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id C29B0357; Tue, 3 Feb 2015 10:24:25 +0000 (UTC) Received: from [192.168.135.70] (unknown [94.19.235.70]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 1D6ED5C002; Tue, 3 Feb 2015 13:23:37 +0300 (MSK) Message-ID: <54D0A1AA.4080402@FreeBSD.org> Date: Tue, 03 Feb 2015 13:23:38 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Ian Smith Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au> In-Reply-To: <20150203205715.A38620@sola.nimnet.asn.au> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw , freebsd-net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 10:24:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03.02.2015 13:04, Ian Smith wrote: >> Now to make stateful firewall with NAT you need to make some not >> very "readable" tricks to record state ("allow") of outbound >> connection before NAT, but pass packet to NAT after that. I know >> two: >> >> (a) skipto-nat-allow pattern from many HOWOTOs > > Lev, can you provide references for these HOWTOs you refer to? > > I have a suspicion that some of them should be taken out and shot. google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not real HOWTOs, but blog posts & alike. BTW, without new mechanism it is really hard to do such firewall, as we need action (nat) after "allow keep-state". It could be done with this ugly skip-to or with "allow keep-state" in INCOMING section of firewall, what is not much better, as I prefer to decide let packet out or not in OUTCOMING part of firewall and with "allow keep-state" in incoming path it flood state table with unused states. Another problem, that "keep-state" acts as "check-state" too, so you could not have ANOTHER "keep-state" before NAT in outgoing part or you miss nat completely (sate is created in outgoing path, and then checked before nat in outgoing path with "keep-state", grrrrr, ugly!). - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJU0KGqXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePYvYQALeGCF9EuZKP3jLDaRwad+TO IhYq5I3xPPqU3eNEdQ6OqdFonVQ4mDB+UipZzspC/U5drf1qo2LkOF8oBNDlVDW4 2I+bgYStptIkpSoBOe5AGRYwO3jfec77GvXhR8cMeQZK2Z9NIazn5ZtFkdQyiiDU +b7pxBQ0SbbMUT3hubl4H+v93dMGfjnzrFg1aSY4/uYnmilb8plWN1o4BshZVMSz z1lrFSaorj4RNYxnpM6f6YtDDYx4TahA7+OILl/BvzmNoztWb5hKNX+1TGLZPcch QE19iix+8O75yuVEMim6FxZ7u6sRk+4PpL/WzCLC2PpPxP/AyiFRh4zw7Q34HDNm xPe4Nfzt5vDj0/2HYMY0q0UeSfVY/U0iB3TWmV/3HFObaLeibCgHqOFGmtCpHw5/ EXJX36mpffO1wI6ImPAvQ9C/wE6/JdoL8R3EPrsN3hdNmoVNIrnDuaeAwiQM6Ljm 4CHzsqlYYzyjzgyMmmJahaZ3Lrr0IjnVixC3/z46SfpPipaua8Pr+oZozC4WFmnn 4IhsXH+XK7fTbKQaZML6o9j6Bm0hs9g6mt+VSWCYWGCHh/V3DzTuH2BECUeC8lsD 9pwHv4x4vPbh7d/kBwAl75mOe3etb8nD/+i+x0oqbPn0T73DgdGgYPnIKqElOi4Y Ws6uw/Euno3YnSSds5Eb =FJZe -----END PGP SIGNATURE-----