Date: Thu, 02 Apr 2009 05:21:14 -0400 From: Michael Powell <nightrecon@verizon.net> To: freebsd-questions@freebsd.org Subject: Re: keep-state and divert Message-ID: <gr200i$53e$1@ger.gmane.org> References: <20090402055113.GA35989@admin.sibptus.tomsk.ru> <gr1qmf$kr1$1@ger.gmane.org> <20090402084319.GB40576@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Victor Sudakov wrote:
[snip]
>
> I have looked at your ruleset. First you have:
>
> [dd]
>> $fwcmd add divert natd ip from any to me in via ppp0
>> $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0
>> $fwcmd add check-state
>>
>
> [dd]
>
> and only later you have your keep-state rules:
>
>>
>> $fwcmd add allow udp from any to any via ppp0 keep-state
>> $fwcmd add allow log icmp from any to any icmptypes 3,4
>>
>> $fwcmd add allow tcp from any to me 80 via ppp0 keep-state
>>
>> $fwcmd add deny log tcp from any to any in recv ppp0 setup
>> $fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
>> $fwcmd add allow tcp from any to any via ppp0 established keep-state
>
> This means your dynamic rules will contain an already NAT-ted address,
> which is useless.
>
> With my example ruleset below, where would you put the keep-state
> option?
>
>
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
>
> 00500 divert 8668 ip from table(1) to any in via rl0
> 00600 check-state
^^^^^^^^^^^
Yes - the check-state line is required first in order to make use of the
keep-state line later in the ruleset.
00650 allow ip from table(1) to any in via rl0 keep-state
Or wherever you are intending to set up state for a rule in the state table.
> 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
>
> 65535 allow ip from any to any
>
>
$fwcmd add allow tcp from any to any out xmit ppp0 setup keep-state
$fwcmd add allow tcp from any to any via ppp0 established keep-state
Note in these two rules the setting of the SYN flag with "setup". This
allows the initial 3-way TCP handshake. The subsequent "established" line is
where it will "remember" the traffic. It is not truly necessary to have it
split between two lines like this, as a looser example:
$fwcmd add allow tcp from any to me 80 via ppp0 keep-state
Of course, you will need to adjust for the direction(s) of your traffic
flow, that is, in order to meet your specific needs. My example rule was
intended for use as an endpoint where I was mainly interested in blocking
all inbound traffic with a very limited number of exceptions with state
being used to allow back in from the outside all return traffic originated
by me, and only me.
It's been something on the order of 6-7 years since I last used ipfw. For
something like 2-3 years after that I used ipfilter. When pf was imported
from OpenBSD and became stable I made the move to pf.
So my recall of specifics related to ipfw is dim at best. Was just hoping
you could pick out some detail which may be of use to you. Your needs may be
different from mine and consequently there is no real one magic "copy this
for plug and play" ruleset. Mine was just one example where I was trying to
illustrate one possibility of utilizing state. And this from a working
ruleset that I used for years.
-Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?gr200i$53e$1>