Date: Tue, 3 Apr 2007 12:37:21 +0300 (EEST) From: "Prokofiev S.P." <proks@logos.uptel.net> To: freebsd-net@freebsd.org Subject: IPFW Stateful behaviour Message-ID: <20070403122855.V7770@logos.uptel.net>
next in thread | raw e-mail | index | archive | help
Hi ALL!
The PF has useful state-policy option: if-bound, group-bound, floating.
I have found out IPFW stateful rules do not become attached to the interface
and behave as PF stateful rules in floating mode.
For example, I build stateful rules (29991,31991) on two interfaces for two
different networks. I send a packet "pkt" from a network net_staff1 to a
network net_staff2. It creates stateful rule on enter if1, then it gets access
to the net_staff2 on output from the if2 by a keep-state 31991 rule.
Deny rule 31995 does not work.
Has solved this problem by tag and skipto (29990,31990), but it is not
absolutely beautiful.
Whether other decisions are possible?
+-----------------+
| if1 O----net_staff1
| |-----<----pkt
----INET---O if0 |
| |----->---->
| if2 O----net_staff2
+-----------------+
ipfw add skipto 29000 ip from any to any via $if1
ipfw add skipto 31000 ip from any to any via $if2
############## IF1 29000
N_DA=29995
ipfw add 29990 skipto $N_DA log ip from any to any via $if1 tagged 65534 // bypass another stateful
ipfw add 29991 allow tag 65534 log ip from $net_staff1 to any via $if1 in keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff1 via $if1 out
ipfw add 29999 skipto 65000 ip from any to any via $if1
############## IF2 31000
N_DA=31995
ipfw add 31990 skipto $N_DA log ip from any to any via $if2 tagged 65534 // bypass another stateful
ipfw add 31991 allow tag 65534 log ip from $net_staff2 to any via $if2 in keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff2 via $if2 out
ipfw add 31999 skipto 65000 ip from any to any via $if2
Sorry for my English.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070403122855.V7770>