Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Apr 2009 02:30:41 -0500
From:      Paul A Procacci <pprocacci@datapipe.net>
To:        Victor Sudakov <vas@mpeks.tomsk.su>, <freebsd-questions@freebsd.org>
Subject:   Re: keep-state and divert
Message-ID:  <49D469A1.3060103@datapipe.net>
In-Reply-To: <20090402055113.GA35989@admin.sibptus.tomsk.ru>
References:  <20090402055113.GA35989@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Victor Sudakov wrote:
> Colleagues,
>
> I have read some recommendations on combining a stateful firewall with di=
vert,
> e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078=
.html
> and http://nuclight.livejournal.com/124348.html (the latter is in Russian=
).
>
> Do I understand correctly that it is (mathematically?) impossible to
> use the two together without also using "skipto"?
>
> If we consider a simple example below, how would you replace the 600th
> rule for a stateful one?
>
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
>
> 00500 divert 8668 ip from table(1) to any in via rl0
> 00600 allow ip from table(1) to any in via rl0
> 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
>
> 65535 allow ip from any to any
>
> Thank you in advance for any input.
>
>

Hopefully you don't mind a response which provides a fully functioning
firewall ruleset.  It's by no means complete, but should give you the
answer to your question.

http://procacci.me/ipfw.conf

This message may contain confidential or privileged information.  If you ar=
e not the intended recipient, please advise us immediately and delete this =
message.  See http://www.datapipe.com/emaildisclaimer.aspx for further info=
rmation on confidentiality and the risks of non-secure electronic communica=
tion. If you cannot access these links, please notify us by reply message a=
nd we will send the contents to you.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?49D469A1.3060103>