Date: Tue, 3 Feb 2015 23:31:58 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Lev Serebryakov <lev@FreeBSD.org> Cc: freebsd-ipfw <freebsd-ipfw@FreeBSD.org>, freebsd-net <freebsd-net@FreeBSD.org> Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny Message-ID: <20150203231410.Y38620@sola.nimnet.asn.au> In-Reply-To: <54D0A1AA.4080402@FreeBSD.org> References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au> <54D0A1AA.4080402@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote: > On 03.02.2015 13:04, Ian Smith wrote: > > >> Now to make stateful firewall with NAT you need to make some not > >> very "readable" tricks to record state ("allow") of outbound > >> connection before NAT, but pass packet to NAT after that. I know > >> two: > >> > >> (a) skipto-nat-allow pattern from many HOWOTOs > > > > Lev, can you provide references for these HOWTOs you refer to? > > > > I have a suspicion that some of them should be taken out and shot. > > google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not > real HOWTOs, but blog posts & alike. As I suspected, most of them either are or refer to or are based on the handbook IPFW page, which I believe has caused more damage to the cause of IPFW adoption and usage than anything else. ipfw(8) is your friend, and pretty much your only friend in this regard. Of those, https://nileshgr.com/2014/12/07/freebsd-ipfw-nat-jails isn't bad. Many of the others are up to 10 years old and not much help. http://www.pl.freebsd.org/doc/handbook/firewalls-ipfw.html is an earlier version of https://www.freebsd.org/doc/handbook/firewalls-ipfw.html which has undergone significant improvement lately (compare), but still contains factual errors in the rulesets and very muddle-headed ideas regarding syslog and other things, IMHO. I'd best say no more on this topic; you can't discombobulate confusion. Cheers, Ian out > BTW, without new mechanism it is really hard to do such firewall, as > we need action (nat) after "allow keep-state". It could be done with > this ugly skip-to or with "allow keep-state" in INCOMING section of > firewall, what is not much better, as I prefer to decide let packet > out or not in OUTCOMING part of firewall and with "allow keep-state" > in incoming path it flood state table with unused states. > > Another problem, that "keep-state" acts as "check-state" too, so you > could not have ANOTHER "keep-state" before NAT in outgoing part or you > miss nat completely (sate is created in outgoing path, and then > checked before nat in outgoing path with "keep-state", grrrrr, ugly!). > > > - -- > // Lev Serebryakov AKA Black Lion
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150203231410.Y38620>