From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 14:52:30 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A397C106566B for ; Sat, 12 Sep 2009 14:52:30 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-pz0-f171.google.com (mail-pz0-f171.google.com [209.85.222.171]) by mx1.freebsd.org (Postfix) with ESMTP id 549E48FC0A for ; Sat, 12 Sep 2009 14:52:30 +0000 (UTC) Received: by pzk1 with SMTP id 1so1061780pzk.13 for ; Sat, 12 Sep 2009 07:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=2Wt+v7wROPuzY3qCxvOzO3fvNsgzgIaC1bUam9bOkYs=; b=AE49PCrQ/RLMCiT4BkxVCCiDMd5PvW+WatlOWenThM+/BHRHRfLPT/iv305du2ss06 xyrUIS9a588DYeyKvHkZbSG1RwTrPk//KPzfplQRZLrCWGIHn4nzQ9ZgNQdLuEUeCGjc nhc+i6jykTOensriGQPvl28yxD1gBM5hnuvAk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Qjek4kZLJ1uW8ISe5Vj6VOWYybrxQd73tbRqgO8TWhv3jwpIaMUKyMukSmRt1emNlB GPEBwJOcC19Ci7J/X1l4JJexMcrk2sTpo7ax408lv0J12MiWs4McVPwqjlEIhADfvKMt U+8h2ooiiGjCN6R7AcTPV6Chr6yS3/158c3uk= MIME-Version: 1.0 Received: by 10.142.8.2 with SMTP id 2mr313628wfh.316.1252767149045; Sat, 12 Sep 2009 07:52:29 -0700 (PDT) In-Reply-To: <20090912141021.GA46670@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> <20090912141021.GA46670@onelab2.iet.unipi.it> Date: Sat, 12 Sep 2009 22:52:29 +0800 Message-ID: From: Cypher Wu To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 14:52:30 -0000 Thanks a lot. It seems that I've misunderstood 'transparent firewall'. On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: >> It's seems fine, but I still have some questions: >> 1. The endpoint will response to the keepalive TCP segment and the >> destination will be the other endpoint, will IPFW just let it though >> like the usual IP packet, or try to figure it out and drop it? > > it will let the packet through. > >> 2. If I have two computer I can make sure both end are not using >> keepalive, then I can still figure out there is a firewall between >> these two computers? > > you can disable the keepalives on the firewall (if there is no > sysctl for it, it's a trivial code change anyways), and you > can set a large timeout. > > but by definition the presence of a firewall _is_ detectable, > unless it blocks nothing so it is just a logger and not a firewall. > > 'transparent' referred to a middlebox means > "it does not require endpoint reconfiguration", not that > it is undetectable. >