From owner-freebsd-net@FreeBSD.ORG Tue Apr 3 10:11:43 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1920D16A405 for ; Tue, 3 Apr 2007 10:11:43 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.175]) by mx1.freebsd.org (Postfix) with ESMTP id 5837F13C46C for ; Tue, 3 Apr 2007 10:11:41 +0000 (UTC) (envelope-from infofarmer@gmail.com) Received: by ug-out-1314.google.com with SMTP id 71so247591ugh for ; Tue, 03 Apr 2007 03:11:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=P0Z0AL09nD4A5IRwspJwyXb3NAZm8QNKb855r+eo1hCbsUqiXMZJST01fV+Vrd9dAYjmJy8RK4P2WMYG9C3YrkgFP+JjQMEqEZgOjSLV8mYONpNxJVPEDm2ej5CpdnjwFJ4fgDtKWbVcKwt9BXJ74EOixdqmgkBvugMOLm/yU84= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=q0Ak3GySYQP56pFElQ5o009W54pRf5Z3N6+HkWZY3WONENZZWf9CJLkb4Ime+BDIMx0/gyngrmmd7mUbZSW366RZdhyBybc+CVpnT6mCUGwqa+kpbVg498hWSCVBv+34t7aLFlX309s6GgYLCTjtdNLSx1z19oCMhXoWdROkhyY= Received: by 10.115.76.1 with SMTP id d1mr2161803wal.1175595099901; Tue, 03 Apr 2007 03:11:39 -0700 (PDT) Received: by 10.114.201.2 with HTTP; Tue, 3 Apr 2007 03:11:39 -0700 (PDT) Message-ID: Date: Tue, 3 Apr 2007 14:11:39 +0400 From: "Andrew Pantyukhin" Sender: infofarmer@gmail.com To: "Prokofiev S.P." In-Reply-To: <20070403122855.V7770@logos.uptel.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070403122855.V7770@logos.uptel.net> X-Google-Sender-Auth: 06330778ec96fd40 Cc: freebsd-net@freebsd.org Subject: Re: IPFW Stateful behaviour X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 10:11:43 -0000 On 4/3/07, Prokofiev S.P. wrote: > > Hi ALL! > The PF has useful state-policy option: if-bound, group-bound, floating. > I have found out IPFW stateful rules do not become attached to the interface > and behave as PF stateful rules in floating mode. > For example, I build stateful rules (29991,31991) on two interfaces for two > different networks. I send a packet "pkt" from a network net_staff1 to a > network net_staff2. It creates stateful rule on enter if1, then it gets access > to the net_staff2 on output from the if2 by a keep-state 31991 rule. > Deny rule 31995 does not work. > > Has solved this problem by tag and skipto (29990,31990), but it is not > absolutely beautiful. > Whether other decisions are possible? I'm still not sure what's your goal. If you want both staff nets to have internet access, and to be isolated from each other then allow "out recv if-staff[12] xmit if-inet" and deny everything else.