Date: Thu, 2 Apr 2009 12:51:13 +0700 From: Victor Sudakov <vas@mpeks.tomsk.su> To: freebsd-questions@freebsd.org Subject: keep-state and divert Message-ID: <20090402055113.GA35989@admin.sibptus.tomsk.ru>
next in thread | raw e-mail | index | archive | help
Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematically?) impossible to use the two together without also using "skipto"? If we consider a simple example below, how would you replace the 600th rule for a stateful one? 00100 divert 8668 ip from any to table(1) out via rl0 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 00500 divert 8668 ip from table(1) to any in via rl0 00600 allow ip from table(1) to any in via rl0 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0 65535 allow ip from any to any Thank you in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090402055113.GA35989>