From owner-freebsd-ipfw Mon Aug 5 16: 5:13 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 298D037B400; Mon, 5 Aug 2002 16:05:09 -0700 (PDT) Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97DA843E3B; Mon, 5 Aug 2002 16:05:02 -0700 (PDT) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin1 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id E8CA22E; Mon, 5 Aug 2002 18:39:14 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: , "Nick Rogness" Cc: "FBIPFW" , , , , , , , , Subject: RE: natd & keep-state Date: Mon, 5 Aug 2002 18:35:25 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020805180536.GA63145@blossom.cjclark.org> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG What I believe the original poster was referring to is skipto 2000 check-state so all packets that have matches in the dynamic table will go to the skipto rule instead of exiting the rules file. At that skipto rule would be a divert nated rule via $xif followed by Allow all from any to any that would exit the rules file. This sure would simplify the rule gymnastics for keep-state logic using natd. # Jump direct to outbound section. $cmd 130 skipto 600 all from any to any out via $xif $cmd 210 divert natd all from any to any in via $xif $cmd 212 skipto 500 check-state $cmd 215 allow tcp from any to any 80 in via $xif setup keep-state $cmd 291 deny log logamount 500 all from any to any $cmd 500 allow all from any to any $cmd 600 skipto 690 check-state $cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state $cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state $cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state $cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state $cmd 690 divert natd all from any to any out via $xif $cmd 692 allow all from any to any out via $xif -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark Sent: Monday, August 05, 2002 2:06 PM To: Nick Rogness Cc: Joe & Fhe Barbish; FBIPFW; archie@whistle.com; cmott@scientech.com; perhaps@yes.no; suutari@iki.fi; dnelson@redwoodsoft.com; brian@awfulhak.org; ru@FreeBSD.ORG; rizzo@icir.org Subject: Re: natd & keep-state On Sat, Aug 03, 2002 at 08:53:10PM -0500, Nick Rogness wrote: > On Sat, 3 Aug 2002, Crist J. Clark wrote: > > [SNIP] > > Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold > > the same opinion. Maybe if you proposed some possible way for natd(8) > > and 'keep-state' rules to work well together someone could do it. > > FWIW, you can modify the behavior of "check-state" to "JUMP TO > RULE NUMBER XXX on stateful match" and solve most of the problems > associated with natd & stateful inspection. Right now, > if check-state finds a match it stops...we need it to optionally > JUMP_TO RULE XXX. Kinda like "skipto" functionality. > > I talked to Luigi about this and he didn't understand what I > meant (which is my fault). But I believe the concept is still > sound. Well, I'm not sure I understand exactly what you mean either, but I would note, ipfw 1000 add skipto 5000 ip from $src to $dst keep-state _Does_ work. 'keep-state' rules need not be only 'pass' actions. I just tested to make sure. I started with the ruleset, 00100 0 0 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 34 4158 allow ip from any to any 02000 0 0 allow ip from any to any 65535 0 0 deny ip from any to any And started a TCP connection, 00100 18 3895 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 54 5362 allow ip from any to any 02000 18 3895 allow ip from any to any 65535 0 0 deny ip from any to any Then I added some rules to make sure that it was really working, and after passing some more data over the existing channel, 00090 0 0 check-state 00095 0 0 allow ip from me to 192.168.64.70 00096 0 0 allow ip from 192.168.64.70 to me 00100 141 15076 skipto 2000 tcp from 192.168.64.70 to me keep-state 01000 877 89158 allow ip from any to any 02000 141 15076 allow ip from any to any 65535 0 0 deny ip from any to any Notice that rules 95 and 96 do not get hit. The 'skipto' is being done at the 'check-state' rule. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message