Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 19 Aug 2007 11:51:08 -0300
From:      "Eduardo Meyer" <>
To:        "Vadim Goncharov" <>
Subject:   Re: All I have is one packet!
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 8/8/07, Vadim Goncharov <> wrote:
> 06.08.07 @ 23:05 Eduardo Meyer wrote:
> > I have tried, for many weeks, ng_tag to tag packets for ipfw
> > filtering. I could make it work fine. However, I have one problem. I
> > want to make a state that will match any packet, on any protocol,
> > between the peers. Why? Because all I have, is one packet. And this
> > packet however, wont always be in the same transport protocol.
> >
> > For example, I can identify session initialization on TCP packets, but
> > once initialized, all communication between peers happen via UDP.
> >
> > I know such a thing dont exist in ipfw. However, I would like to know
> > if someone can suggest changes to the code that would do this. Would
> > also be great if I could have a sysctl OID to tune state-timing of
> > this unusual behavior, differently from the existing sysctl mibs on
> > "dyn" stuff on ipfw.
> >
> > Every suggestion on a feature like that, would be appreciated.
> Yes, dynamic rules in ipfw are not intended for supporting state created
> in the middle of the session, wuth the default sysctl settings it will be
> kept for 1 second (which, however, is enough for shaping of fast
> transfers). I think, precise controlling of dynamic rules from both
> userland and kernel should be added to ipfw, to modify existing rules on
> the fly (or even more features, like pfsync). As a hackish dirty
> workaround, may be it should be only one keyword, something like
> "keep-state-middle", to create normal dynamic rule without initial SYNs.
> But you've said about even more complex behaviour, like init on TCP,
> continue with UDP. That's difficult to implement in kernel, and may be
> even not suitable for ipfw. Currently (I think), you can try to emulate
> this behaviour by divert'ing tagged by ng_tag packet to userland program,
> like snort_inline (from ports collection) with needed scripting, which
> will trigger adding proper rules to firewall (you should also care about
> expiring that connection on SYNs and RSTs, though).

That's exactly the point. However, from a simplistic and probably
ignorant point of view on this matter, like mine, I believed it to be
in fact a much more simple "state", which would only compare IP
addresses (src<->dst) for the match, so I could just

ipfw add X allow { tcp or udp } from any to any keep-iponly-state tagged Y

It would be helpfull with many protocols which in fact use a transport
proto (like TCP) to do actual session initialization while using
another transport proto (UDP, DDP, whatever) for the real traffic;
many things do this nowadays;

Would such a feature be possible?

Eduardo Meyer

Want to link to this message? Use this URL: <>