From owner-freebsd-net@FreeBSD.ORG Fri Jan 30 00:52:27 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2B32E2EE for ; Fri, 30 Jan 2015 00:52:27 +0000 (UTC) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [46.4.40.135]) by mx1.freebsd.org (Postfix) with ESMTP id DF862345 for ; Fri, 30 Jan 2015 00:52:26 +0000 (UTC) Received: from [192.168.135.70] (unknown [94.19.235.70]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPSA id 82AA45C002 for ; Fri, 30 Jan 2015 03:52:10 +0300 (MSK) Message-ID: <54CAD5C8.3080904@FreeBSD.org> Date: Fri, 30 Jan 2015 03:52:24 +0300 From: Lev Serebryakov Reply-To: lev@FreeBSD.org Organization: FreeBSD User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: Re: ipfw, nat and stateful firewall: why "keep-state" on "skipto" works at all and how do this properly? References: <54CAD234.3020407@FreeBSD.org> In-Reply-To: <54CAD234.3020407@FreeBSD.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Jan 2015 00:52:27 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30.01.2015 03:37, Lev Serebryakov wrote: > Is here better way to have nat and stateful ruleset? Actions like "create-dyn-allow" and "create-dyn-deny" will be very nice, BTW :) But looks like it is hard to add, as now dynamic rules are "replaced" by parents, and could not be easily replaced by other rules. - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUytXHXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePkT8QAK9ypvFIG0jQnCquIp0DFxf3 POEh0e3SgFgzJ8z98bSY36/8XGHJp+yOV3lJeDPNfFhyxojMYSnJB2Dcjf/hVx/O EzJa+FJZce6uh3H4uidEcv0u4CA3WaNceDdQb+Z+VqhNRKx5e4LVcu4rWmdDLMkb MGqE3gT/6mOgPUTiZNtZUBTT39AyiUCoCWF9gfTJbFOUBkl2c21sRjAnAmYS5ien ASXfnaP5HULdDx6CIy+YP6oCZH1O1DFxGOKse7hJVMtS7H2YlX9kk8eoC8g8YPVN C1ng9Pahxy8FIS/lhtnOW25v3wLHZ+H5nHBA7EhSTEQPR7JZE13zIUKELHkpJt/j MdK/mNL3mldWdc4M4FzZCmGEDpbIYH9guuzEU0M48xUesrvenP6iBRloqX5tzduM yb1Fl4p1wAg/OMkBYdTExoyJF7X0WGAA9x8dYG7HuPuVzZb3AKaFQeaC1WU3mln5 d8TN6LbydEI+QxnrFDpivWz6cGy4WrYSHVP7A4/3AzFLlHXsjOvYNBEXUsh0+FJ/ Rg5wTfYeV7N+YnwyvtHItt482V9MekXz1egD4nIAB1Ae0TENVijdvb41eX+rJ3Yj XcsNKX5cAguenEB34BsEiBrF0cxB+H6PryUUaQ6MtwwW31BZZkG8HaoUWjkNigOo eYukYDv6a7b4bGoXNKJ7 =OMB1 -----END PGP SIGNATURE-----