Site Navigation

Date:      Mon, 5 Aug 2002 18:35:25 -0400
From:      "Joe & Fhe Barbish" <barbish@a1poweruser.com>
To:        <cjclark@alum.mit.edu>, "Nick Rogness" <nick@rogness.net>
Cc:        "FBIPFW" <freebsd-ipfw@FreeBSD.ORG>, <archie@whistle.com>, <cmott@scientech.com>, <perhaps@yes.no>, <suutari@iki.fi>, <dnelson@redwoodsoft.com>, <brian@awfulhak.org>, <ru@FreeBSD.ORG>, <rizzo@icir.org>
Subject:   RE: natd & keep-state
Message-ID:  <MIEPLLIBMLEEABPDBIEGKEJFCHAA.barbish@a1poweruser.com>
In-Reply-To: <20020805180536.GA63145@blossom.cjclark.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

What I believe the original poster was referring to is
skipto 2000 check-state

so all packets that have matches in the dynamic table will
go to the skipto rule instead of exiting the rules file.
At that skipto rule would be a divert nated rule via $xif followed by
Allow all from any to any that would exit the rules file.
This sure would simplify the rule gymnastics for keep-state
logic using natd.



# Jump direct to outbound section.
$cmd 130 skipto 600 all from any to any out via $xif

$cmd 210 divert natd all from any to any in via $xif
$cmd 212 skipto 500 check-state
$cmd 215 allow tcp from any to any 80 in via $xif setup keep-state
$cmd 291 deny log logamount 500 all from any to any
$cmd 500 allow all from any to any

$cmd 600 skipto 690 check-state
$cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state
$cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state
$cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state
$cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state

$cmd 690 divert natd all from any to any out via $xif
$cmd 692 allow all from any to any out via $xif





-----Original Message-----
From: owner-freebsd-ipfw@FreeBSD.ORG
[mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Crist J. Clark
Sent: Monday, August 05, 2002 2:06 PM
To: Nick Rogness
Cc: Joe & Fhe Barbish; FBIPFW; archie@whistle.com; cmott@scientech.com;
perhaps@yes.no; suutari@iki.fi; dnelson@redwoodsoft.com; brian@awfulhak.org;
ru@FreeBSD.ORG; rizzo@icir.org
Subject: Re: natd & keep-state

On Sat, Aug 03, 2002 at 08:53:10PM -0500, Nick Rogness wrote:
> On Sat, 3 Aug 2002, Crist J. Clark wrote:
>
> [SNIP]
> > Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold
> > the same opinion. Maybe if you proposed some possible way for natd(8)
> > and 'keep-state' rules to work well together someone could do it.
>
>       FWIW, you can modify the behavior of "check-state" to "JUMP TO
>       RULE NUMBER XXX on stateful match" and solve most of the problems
>       associated with natd & stateful inspection.  Right now,
>       if check-state finds a match it stops...we need it to optionally
>       JUMP_TO RULE XXX.  Kinda like "skipto" functionality.
>
>       I talked to Luigi about this and he didn't understand what I
>       meant (which is my fault).  But I believe the concept is still
>       sound.

Well, I'm not sure I understand exactly what you mean either, but I
would note,

  ipfw 1000 add skipto 5000 ip from $src to $dst keep-state

_Does_ work. 'keep-state' rules need not be only 'pass' actions.

I just tested to make sure. I started with the ruleset,

  00100   0     0 skipto 2000 tcp from 192.168.64.70 to me keep-state
  01000  34  4158 allow ip from any to any
  02000   0     0 allow ip from any to any
  65535   0     0 deny ip from any to any

And started a TCP connection,

  00100  18  3895 skipto 2000 tcp from 192.168.64.70 to me keep-state
  01000  54  5362 allow ip from any to any
  02000  18  3895 allow ip from any to any
  65535   0     0 deny ip from any to any

Then I added some rules to make sure that it was really working, and
after passing some more data over the existing channel,

  00090   0     0 check-state
  00095   0     0 allow ip from me to 192.168.64.70
  00096   0     0 allow ip from 192.168.64.70 to me
  00100 141 15076 skipto 2000 tcp from 192.168.64.70 to me keep-state
  01000 877 89158 allow ip from any to any
  02000 141 15076 allow ip from any to any
  65535   0     0 deny ip from any to any

Notice that rules 95 and 96 do not get hit. The 'skipto' is being done
at the 'check-state' rule.
--
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGKEJFCHAA.barbish>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact