From owner-freebsd-ipfw@FreeBSD.ORG Tue Feb 3 12:32:06 2015 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1BD797F1; Tue, 3 Feb 2015 12:32:06 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F8F3606; Tue, 3 Feb 2015 12:32:01 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id t13CVwed078133; Tue, 3 Feb 2015 23:31:59 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 3 Feb 2015 23:31:58 +1100 (EST) From: Ian Smith To: Lev Serebryakov Subject: Re: [RFC][patch] Two new actions: state-allow and state-deny In-Reply-To: <54D0A1AA.4080402@FreeBSD.org> Message-ID: <20150203231410.Y38620@sola.nimnet.asn.au> References: <54CFCD45.9070304@FreeBSD.org> <20150203205715.A38620@sola.nimnet.asn.au> <54D0A1AA.4080402@FreeBSD.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-ipfw , freebsd-net X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Feb 2015 12:32:06 -0000 On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote: > On 03.02.2015 13:04, Ian Smith wrote: > > >> Now to make stateful firewall with NAT you need to make some not > >> very "readable" tricks to record state ("allow") of outbound > >> connection before NAT, but pass packet to NAT after that. I know > >> two: > >> > >> (a) skipto-nat-allow pattern from many HOWOTOs > > > > Lev, can you provide references for these HOWTOs you refer to? > > > > I have a suspicion that some of them should be taken out and shot. > > google for "FreeBSD ipfw nat stateful" :) There are lot of them. Not > real HOWTOs, but blog posts & alike. As I suspected, most of them either are or refer to or are based on the handbook IPFW page, which I believe has caused more damage to the cause of IPFW adoption and usage than anything else. ipfw(8) is your friend, and pretty much your only friend in this regard. Of those, https://nileshgr.com/2014/12/07/freebsd-ipfw-nat-jails isn't bad. Many of the others are up to 10 years old and not much help. http://www.pl.freebsd.org/doc/handbook/firewalls-ipfw.html is an earlier version of https://www.freebsd.org/doc/handbook/firewalls-ipfw.html which has undergone significant improvement lately (compare), but still contains factual errors in the rulesets and very muddle-headed ideas regarding syslog and other things, IMHO. I'd best say no more on this topic; you can't discombobulate confusion. Cheers, Ian out > BTW, without new mechanism it is really hard to do such firewall, as > we need action (nat) after "allow keep-state". It could be done with > this ugly skip-to or with "allow keep-state" in INCOMING section of > firewall, what is not much better, as I prefer to decide let packet > out or not in OUTCOMING part of firewall and with "allow keep-state" > in incoming path it flood state table with unused states. > > Another problem, that "keep-state" acts as "check-state" too, so you > could not have ANOTHER "keep-state" before NAT in outgoing part or you > miss nat completely (sate is created in outgoing path, and then > checked before nat in outgoing path with "keep-state", grrrrr, ugly!). > > > - -- > // Lev Serebryakov AKA Black Lion