From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 14:04:20 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 078FF1065670 for ; Sat, 12 Sep 2009 14:04:20 +0000 (UTC) (envelope-from luigi@onelab2.iet.unipi.it) Received: from onelab2.iet.unipi.it (onelab2.iet.unipi.it [131.114.59.238]) by mx1.freebsd.org (Postfix) with ESMTP id BF7518FC12 for ; Sat, 12 Sep 2009 14:04:19 +0000 (UTC) Received: by onelab2.iet.unipi.it (Postfix, from userid 275) id AA202730DA; Sat, 12 Sep 2009 16:10:21 +0200 (CEST) Date: Sat, 12 Sep 2009 16:10:21 +0200 From: Luigi Rizzo To: Cypher Wu Message-ID: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 14:04:20 -0000 On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: > It's seems fine, but I still have some questions: > 1. The endpoint will response to the keepalive TCP segment and the > destination will be the other endpoint, will IPFW just let it though > like the usual IP packet, or try to figure it out and drop it? it will let the packet through. > 2. If I have two computer I can make sure both end are not using > keepalive, then I can still figure out there is a firewall between > these two computers? you can disable the keepalives on the firewall (if there is no sysctl for it, it's a trivial code change anyways), and you can set a large timeout. but by definition the presence of a firewall _is_ detectable, unless it blocks nothing so it is just a logger and not a firewall. 'transparent' referred to a middlebox means "it does not require endpoint reconfiguration", not that it is undetectable.