Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 2 Apr 2009 15:00:56 +0700
From:      Victor Sudakov <vas@mpeks.tomsk.su>
To:        freebsd-questions@freebsd.org
Subject:   Re: keep-state and divert
Message-ID:  <20090402080056.GA39348@admin.sibptus.tomsk.ru>
In-Reply-To: <49D469A1.3060103@datapipe.net>
References:  <20090402055113.GA35989@admin.sibptus.tomsk.ru> <49D469A1.3060103@datapipe.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Paul A Procacci wrote:
> >
> >I have read some recommendations on combining a stateful firewall with 
> >divert,
> >e.g. 
> >http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> >and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
> >
> >Do I understand correctly that it is (mathematically?) impossible to
> >use the two together without also using "skipto"?
> >
> >If we consider a simple example below, how would you replace the 600th
> >rule for a stateful one?
> >
> >00100 divert 8668 ip from any to table(1) out via rl0
> >00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> >00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> >00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
> >
> >00500 divert 8668 ip from table(1) to any in via rl0
> >00600 allow ip from table(1) to any in via rl0
> >00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> >00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> >00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
> >
> >65535 allow ip from any to any
> >
> >Thank you in advance for any input.
> >
> >
> 
> Hopefully you don't mind a response which provides a fully functioning
> firewall ruleset.  It's by no means complete, but should give you the
> answer to your question.
> 
> http://procacci.me/ipfw.conf

I have seen a number of such complete rulesets, some of them being
very inventive and tricky. 

I see that your example also uses "skipto" with "keep-state".  My
question was however if it was possible to do without "skipto". 

And a simple example would be most appreciated, not a fully functional
fuleset.

I am also thinking about using "natd -deny_incoming" for keeping state,
instead of "keep-state" rules. Is this feasible?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090402080056.GA39348>