Date: Tue, 3 Apr 2007 14:11:39 +0400 From: "Andrew Pantyukhin" <infofarmer@FreeBSD.org> To: "Prokofiev S.P." <proks@logos.uptel.net> Cc: freebsd-net@freebsd.org Subject: Re: IPFW Stateful behaviour Message-ID: <cb5206420704030311n28a88a68s2c1c0b562e3eb861@mail.gmail.com> In-Reply-To: <20070403122855.V7770@logos.uptel.net> References: <20070403122855.V7770@logos.uptel.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 4/3/07, Prokofiev S.P. <proks@logos.uptel.net> wrote: > > Hi ALL! > The PF has useful state-policy option: if-bound, group-bound, floating. > I have found out IPFW stateful rules do not become attached to the interface > and behave as PF stateful rules in floating mode. > For example, I build stateful rules (29991,31991) on two interfaces for two > different networks. I send a packet "pkt" from a network net_staff1 to a > network net_staff2. It creates stateful rule on enter if1, then it gets access > to the net_staff2 on output from the if2 by a keep-state 31991 rule. > Deny rule 31995 does not work. > > Has solved this problem by tag and skipto (29990,31990), but it is not > absolutely beautiful. > Whether other decisions are possible? I'm still not sure what's your goal. If you want both staff nets to have internet access, and to be isolated from each other then allow "out recv if-staff[12] xmit if-inet" and deny everything else.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?cb5206420704030311n28a88a68s2c1c0b562e3eb861>