From owner-freebsd-net@FreeBSD.ORG Tue Apr 3 11:35:03 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 37F8716A402 for ; Tue, 3 Apr 2007 11:35:03 +0000 (UTC) (envelope-from proks@logos.uptel.net) Received: from logos.uptel.net (logos.uptel.net [195.138.170.125]) by mx1.freebsd.org (Postfix) with ESMTP id CEF6B13C457 for ; Tue, 3 Apr 2007 11:35:02 +0000 (UTC) (envelope-from proks@logos.uptel.net) Received: from logos.uptel.net (logos.uptel.net [195.138.170.125]) by logos.uptel.net (Postfix) with ESMTP id 49A8833C95; Tue, 3 Apr 2007 14:35:01 +0300 (EEST) Date: Tue, 3 Apr 2007 14:35:01 +0300 (EEST) From: "Prokofiev S.P." To: Andrew Pantyukhin In-Reply-To: Message-ID: <20070403140325.G8366@logos.uptel.net> References: <20070403122855.V7770@logos.uptel.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: IPFW Stateful behaviour X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Apr 2007 11:35:03 -0000 Hi! I want both staff nets to have internet access and another my networks by dynamic rules (i.e. connections initialized by staff[12]), and to be isolated from any: inet (if-default) and networks on this router interfaces with varios stateless and stateful rules. I have drawn the simplified scheme. On Tue, 3 Apr 2007, Andrew Pantyukhin wrote: > On 4/3/07, Prokofiev S.P. wrote: >> >> Hi ALL! >> The PF has useful state-policy option: if-bound, group-bound, floating. >> I have found out IPFW stateful rules do not become attached to the >> interface >> and behave as PF stateful rules in floating mode. >> For example, I build stateful rules (29991,31991) on two interfaces for two >> different networks. I send a packet "pkt" from a network net_staff1 to a >> network net_staff2. It creates stateful rule on enter if1, then it gets >> access >> to the net_staff2 on output from the if2 by a keep-state 31991 rule. >> Deny rule 31995 does not work. >> >> Has solved this problem by tag and skipto (29990,31990), but it is not >> absolutely beautiful. >> Whether other decisions are possible? > > I'm still not sure what's your goal. If you want both > staff nets to have internet access, and to be isolated > from each other then allow > "out recv if-staff[12] xmit if-inet" > and deny everything else. >