Date: Wed, 9 Feb 2005 00:43:18 +0100 From: Max Laier <max@love2party.net> To: freebsd-ipfw@freebsd.org Cc: Chris Dionissopoulos <dionch@freemail.gr> Subject: Re: Sticky pf(4)-like feature in ipfw? Message-ID: <200502090043.30704.max@love2party.net> In-Reply-To: <20050208150150.C28282@xorpc.icir.org> References: <000a01c50df5$4a4435e0$3c00000a@R3B> <20050208150150.C28282@xorpc.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart36976067.LvBGxLmmto Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Wednesday 09 February 2005 00:01, Luigi Rizzo wrote: > the 'state only based on the 3-tuple' as you describe it > is certainly an interesting feature. It is slightly more expensive > to implement than what i thought at first, because you should > do two hash computations and lookups (one on the 5-tuple, one > on the 3-tuple) on each packet trying to match a dynamic rule. > > i just wonder why it is named 'sticky' in pf > which is not really very indicative of what the function does. It's actually called "sticky-address" and applies to all rules that select= =20 addresses from a pool. It is called that way as things work a bit differen= t=20 in PF. You'd have a forwarding rule that selects addresses from a pool as= =20 equivalent to the "prob .5 skip-to" in IPFW. The state matching isn't=20 affected at all (i.e. if you do stateful matching PF still performs 5-tuple= =20 matching). The "sticky-address" option on the pool, however, ensures that= =20 the next time a certain client needs to be forwarded it gets the same=20 translation address. As you said, you have to be careful with only 3-tuple states as it might op= en=20 to injection attacks and thus allow evildoers to bypass the firewall. > cheers > luigi > > On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote: > > Hi, > > I think of adding a new feature in (my local copy) ipfw (releng5) so th= at > > it makes also sticky match when forwarding broken protocols like ftp, > > h.323, sip, etc. > > Its inspired from pf(4) sticky feature as is.The general usage will be > > for "skipto" forwarding rules as shown in example below: > > > > Network ASCII-ART: > > > > Gateway1 Gateway2 > > > > ---------------- 192.168.1.0/24 > > > > [Freebsd-ipfw] > > > > ---------------- 192.168.3.0/24 > > > > ipfw.sh: > > ~~~~~~~~~~~~~~~~~~~~~~ > > #!/bin/sh > > fwcmd=3D"/sbin/ipfw" > > pass=3D"skipto 65535" > > > > gateway_mac1 =3D"00:0e:2e:03:36:23" > > gateway_mac2 =3D"00:0e:2e:03:37:23" > > gateway1=3D"192.168.1.2" > > gateway2 =3D"192.168.1.1" > > > > lan_network =3D "192.168.3.0/24" > > broken=3D"20,21,1720,6667,4600-4700" > > > > #CHECK STATES. > > ${fwcmd} add 100 check-state > > > > # INCOMING TRAFFIC > > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any > > ${gateway_mac1}in recv rl0 keep-state > > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any > > ${gateway_mac1}in recv rl0 keep-state > > > > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%] > > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not > > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky > > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not > > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky > > > > #OUTGOING + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%] > > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not > > ${lan_network}in recv rl1 keep-state > > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not > > ${lan_network}in recv rl1 keep-state > > > > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER > > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not > > ${lan_network} in recv rl1 > > ${fwcmd} add 10110 ${pass} ip from any to any > > > > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER > > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not > > ${lan_network} in recv rl1 > > ${fwcmd} add 10210 ${pass} ip from any to any > > > > ~~~~~~~~~~~~~~~~~~~~~~ > > > > > > "keep-sticky" main difference with "keep-state" is just relaxed state > > matching > > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and > > not (scr_ip:src_port + dst_ip:dst_port) straight and reversed > > (=3Dkeep-state/limit). > > > > My question : > > Does anyone has already working on such feature? > > Cause its pretty easy to implement(*) "keep-sticky", does any of > > ipfw developers planning to add such feature in near future? > > > > > > Thanks, > > Chris. > > > > > > (*) > > 1. TOK_KEEPSTICKY in /usr/src/sbin/ipfw/ipfw2.c > > O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h > > and copy TOK_KEEPSTATE+O_KEEPSTATE code > > as a new case of cmd+rule argument. > > 2. Some changes in "lookup_dyn_rule_locked" function of > > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state > > when "keep-sticky" is enabled. > > > > > > > > > > > > > > > > ____________________________________________________________________ > > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou. > > http://www.freemail.gr - free email service for the Greek-speaking. > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart36976067.LvBGxLmmto Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQBCCU6iXyyEoT62BG0RArV4AJ9vT6QQOpEKXqeI2UiKkT3HnCh7FwCeOEVZ ZvZRffmYLbqIPQXJfxn7qGg= =RFGJ -----END PGP SIGNATURE----- --nextPart36976067.LvBGxLmmto--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502090043.30704.max>