Date: Sat, 18 Jan 2003 17:39:10 +0000 From: AMAKAWA Shuhei <sa264@cam.ac.uk> To: Tim Burgess <tim@queens.unimelb.edu.au> Cc: freebsd-ipfw@freebsd.org Subject: Re: keep-state checking of interface? Message-ID: <E18ZwwB-0003wM-00@yellow.csi.cam.ac.uk> In-Reply-To: <911DF304-2AFD-11D7-B465-000393BE2C60@queens.unimelb.edu.au> References: <911DF304-2AFD-11D7-B465-000393BE2C60@queens.unimelb.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
At Sun, 19 Jan 2003 02:57:38 +1100, Tim Burgess wrote: > > So, it would be nice if the stateful rules could be tied to a > particular interface using some kind of syntax. I realise that a lot > of simple firewalls don't really take into account that the packets > pass through (possibly) twice, so the original syntax would be relied > upon by many users, however for situations like ours (which I don't > imagine are rare) it would be very nice to have. Something like this, perhaps? 10 check-state 100 skipto 1000 ip from any to any via abc0 101 skipto 2000 ip from any to any via abc1 102 allow ip from any to any via abc2 1001 skipto 1500 tcp from 1.2.3.0/24 to any 80,443,110,22 in recv abc0 keep-state 1002 deny ip from any to any 1500 allow ip from any to any via abc0 1999 deny ip from any to any 2001 allow tcp from any to 4.5.6.10 80 2002 allow tcp from 4.5.6.10 80 to any established 2003 skipto 2500 tcp from 4.5.6.11 to any 25 in recv abc1 keep-state 2004 deny ip from any to any 2500 allow ip from any to any via abc1 2999 deny ip from any to any When a match is found by check-state, the associated "skipto" is executed rather than allow. Then you can perform some extra checking. I don't know if my example above is correct, but you get the idea? -- Shuhei To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E18ZwwB-0003wM-00>