Date: Tue, 3 Apr 2007 14:35:01 +0300 (EEST) From: "Prokofiev S.P." <proks@logos.uptel.net> To: Andrew Pantyukhin <infofarmer@FreeBSD.org> Cc: freebsd-net@freebsd.org Subject: Re: IPFW Stateful behaviour Message-ID: <20070403140325.G8366@logos.uptel.net> In-Reply-To: <cb5206420704030311n28a88a68s2c1c0b562e3eb861@mail.gmail.com> References: <20070403122855.V7770@logos.uptel.net> <cb5206420704030311n28a88a68s2c1c0b562e3eb861@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi! I want both staff nets to have internet access and another my networks by dynamic rules (i.e. connections initialized by staff[12]), and to be isolated from any: inet (if-default) and networks on this router interfaces with varios stateless and stateful rules. I have drawn the simplified scheme. On Tue, 3 Apr 2007, Andrew Pantyukhin wrote: > On 4/3/07, Prokofiev S.P. <proks@logos.uptel.net> wrote: >> >> Hi ALL! >> The PF has useful state-policy option: if-bound, group-bound, floating. >> I have found out IPFW stateful rules do not become attached to the >> interface >> and behave as PF stateful rules in floating mode. >> For example, I build stateful rules (29991,31991) on two interfaces for two >> different networks. I send a packet "pkt" from a network net_staff1 to a >> network net_staff2. It creates stateful rule on enter if1, then it gets >> access >> to the net_staff2 on output from the if2 by a keep-state 31991 rule. >> Deny rule 31995 does not work. >> >> Has solved this problem by tag and skipto (29990,31990), but it is not >> absolutely beautiful. >> Whether other decisions are possible? > > I'm still not sure what's your goal. If you want both > staff nets to have internet access, and to be isolated > from each other then allow > "out recv if-staff[12] xmit if-inet" > and deny everything else. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070403140325.G8366>