Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Aug 2007 11:51:08 -0300
From:      "Eduardo Meyer" <dudu.meyer@gmail.com>
To:        "Vadim Goncharov" <vadimnuclight@tpu.ru>
Cc:        ipfw@freebsd.org
Subject:   Re: All I have is one packet!
Message-ID:  <d3ea75b30708190751i84ef2d2jeda35ff6d1a11c8c@mail.gmail.com>
In-Reply-To: <optwri2uts4fjv08@nuclight.avtf.net>
References:  <d3ea75b30708060905p25019480i90fd1d71dc9120a2@mail.gmail.com> <optwri2uts4fjv08@nuclight.avtf.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/8/07, Vadim Goncharov <vadimnuclight@tpu.ru> wrote:
> 06.08.07 @ 23:05 Eduardo Meyer wrote:
>
> > I have tried, for many weeks, ng_tag to tag packets for ipfw
> > filtering. I could make it work fine. However, I have one problem. I
> > want to make a state that will match any packet, on any protocol,
> > between the peers. Why? Because all I have, is one packet. And this
> > packet however, wont always be in the same transport protocol.
> >
> > For example, I can identify session initialization on TCP packets, but
> > once initialized, all communication between peers happen via UDP.
> >
> > I know such a thing dont exist in ipfw. However, I would like to know
> > if someone can suggest changes to the code that would do this. Would
> > also be great if I could have a sysctl OID to tune state-timing of
> > this unusual behavior, differently from the existing sysctl mibs on
> > "dyn" stuff on ipfw.
> >
> > Every suggestion on a feature like that, would be appreciated.
>
> Yes, dynamic rules in ipfw are not intended for supporting state created
> in the middle of the session, wuth the default sysctl settings it will be
> kept for 1 second (which, however, is enough for shaping of fast
> transfers). I think, precise controlling of dynamic rules from both
> userland and kernel should be added to ipfw, to modify existing rules on
> the fly (or even more features, like pfsync). As a hackish dirty
> workaround, may be it should be only one keyword, something like
> "keep-state-middle", to create normal dynamic rule without initial SYNs.
>
> But you've said about even more complex behaviour, like init on TCP,
> continue with UDP. That's difficult to implement in kernel, and may be
> even not suitable for ipfw. Currently (I think), you can try to emulate
> this behaviour by divert'ing tagged by ng_tag packet to userland program,
> like snort_inline (from ports collection) with needed scripting, which
> will trigger adding proper rules to firewall (you should also care about
> expiring that connection on SYNs and RSTs, though).

That's exactly the point. However, from a simplistic and probably
ignorant point of view on this matter, like mine, I believed it to be
in fact a much more simple "state", which would only compare IP
addresses (src<->dst) for the match, so I could just

ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged Y

It would be helpfull with many protocols which in fact use a transport
proto (like TCP) to do actual session initialization while using
another transport proto (UDP, DDP, whatever) for the real traffic;
many things do this nowadays;

Would such a feature be possible?

-- 
===========
Eduardo Meyer
pessoal: dudu.meyer@gmail.com
profissional: ddm.farmaciap@saude.gov.br



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?d3ea75b30708190751i84ef2d2jeda35ff6d1a11c8c>