From owner-freebsd-net@FreeBSD.ORG  Tue Apr  3 09:54:36 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 2704016A401
	for <freebsd-net@freebsd.org>; Tue,  3 Apr 2007 09:54:36 +0000 (UTC)
	(envelope-from proks@logos.uptel.net)
Received: from logos.uptel.net (logos.uptel.net [195.138.170.125])
	by mx1.freebsd.org (Postfix) with ESMTP id C4FB213C45A
	for <freebsd-net@freebsd.org>; Tue,  3 Apr 2007 09:54:33 +0000 (UTC)
	(envelope-from proks@logos.uptel.net)
Received: from logos.uptel.net (logos.uptel.net [195.138.170.125])
	by logos.uptel.net (Postfix) with ESMTP id EFBC633C95
	for <freebsd-net@freebsd.org>; Tue,  3 Apr 2007 12:37:21 +0300 (EEST)
Date: Tue, 3 Apr 2007 12:37:21 +0300 (EEST)
From: "Prokofiev S.P." <proks@logos.uptel.net>
To: freebsd-net@freebsd.org
Message-ID: <20070403122855.V7770@logos.uptel.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Subject: IPFW Stateful behaviour
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Apr 2007 09:54:36 -0000


Hi ALL!
The PF has useful state-policy option: if-bound, group-bound, floating.
I have found out IPFW stateful rules do not become attached to the interface 
and behave as PF stateful rules in floating mode.
For example, I build stateful rules (29991,31991) on two interfaces for two 
different networks.  I send a packet "pkt" from a network net_staff1 to a
  network net_staff2. It creates stateful rule on enter if1, then it gets access 
to the net_staff2 on output from the if2 by a keep-state 31991 rule. 
Deny rule 31995 does not work.

Has solved this problem by tag and skipto (29990,31990), but it is not 
absolutely beautiful.
  Whether other decisions are possible?


            +-----------------+
            |            if1  O----net_staff1
            |                 |-----<----pkt
----INET---O if0             |
            |                 |----->---->
            |            if2  O----net_staff2
            +-----------------+


ipfw add skipto 29000 ip from any to any via $if1
ipfw add skipto 31000 ip from any to any via $if2

############## IF1 29000

N_DA=29995
ipfw add 29990 skipto $N_DA log ip from any to any via $if1 tagged 65534  // bypass another stateful
ipfw add 29991 allow tag 65534 log ip from $net_staff1 to any via $if1 in keep-state  //  stateful
ipfw add $N_DA deny log ip from any to $net_staff1 via $if1 out

ipfw add 29999 skipto 65000 ip from any to any via $if1

############## IF2 31000

N_DA=31995
ipfw add 31990 skipto $N_DA log ip from any to any via $if2 tagged 65534  // bypass another stateful
ipfw add 31991 allow tag 65534 log ip from $net_staff2 to any via $if2 in keep-state  //  stateful
ipfw add $N_DA deny log ip from any to $net_staff2 via $if2 out

ipfw add 31999 skipto 65000 ip from any to any via $if2

Sorry for my English.