From owner-freebsd-ipfw@FreeBSD.ORG Wed Aug 8 23:16:37 2007 Return-Path: Delivered-To: ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC46916A478 for ; Wed, 8 Aug 2007 23:16:37 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.freebsd.org (Postfix) with ESMTP id 43FEE13C46B for ; Wed, 8 Aug 2007 23:16:37 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from localhost (localhost.localdomain [127.0.0.1]) by relay1.tpu.ru (Postfix) with ESMTP id 84A1B104F9E for ; Thu, 9 Aug 2007 05:50:47 +0700 (NOVST) X-Virus-Scanned: amavisd-new at tpu.ru Received: from relay1.tpu.ru ([127.0.0.1]) by localhost (relay1.tpu.ru [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id arz-+a7blI46 for ; Thu, 9 Aug 2007 05:50:45 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 6D1ED104F9F for ; Thu, 9 Aug 2007 05:50:45 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 05:50:45 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 9 Aug 2007 05:50:45 +0700 Date: Thu, 09 Aug 2007 05:50:44 +0700 To: ipfw@freebsd.org References: From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 08 Aug 2007 22:50:45.0074 (UTC) FILETIME=[8E099B20:01C7DA0E] Cc: Subject: Re: All I have is one packet! X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Aug 2007 23:16:37 -0000 06.08.07 @ 23:05 Eduardo Meyer wrote: > I have tried, for many weeks, ng_tag to tag packets for ipfw > filtering. I could make it work fine. However, I have one problem. I > want to make a state that will match any packet, on any protocol, > between the peers. Why? Because all I have, is one packet. And this > packet however, wont always be in the same transport protocol. > > For example, I can identify session initialization on TCP packets, but > once initialized, all communication between peers happen via UDP. > > I know such a thing dont exist in ipfw. However, I would like to know > if someone can suggest changes to the code that would do this. Would > also be great if I could have a sysctl OID to tune state-timing of > this unusual behavior, differently from the existing sysctl mibs on > "dyn" stuff on ipfw. > > Every suggestion on a feature like that, would be appreciated. Yes, dynamic rules in ipfw are not intended for supporting state created in the middle of the session, wuth the default sysctl settings it will be kept for 1 second (which, however, is enough for shaping of fast transfers). I think, precise controlling of dynamic rules from both userland and kernel should be added to ipfw, to modify existing rules on the fly (or even more features, like pfsync). As a hackish dirty workaround, may be it should be only one keyword, something like "keep-state-middle", to create normal dynamic rule without initial SYNs. But you've said about even more complex behaviour, like init on TCP, continue with UDP. That's difficult to implement in kernel, and may be even not suitable for ipfw. Currently (I think), you can try to emulate this behaviour by divert'ing tagged by ng_tag packet to userland program, like snort_inline (from ports collection) with needed scripting, which will trigger adding proper rules to firewall (you should also care about expiring that connection on SYNs and RSTs, though). -- WBR, Vadim Goncharov