Date: Thu, 2 Apr 2009 17:51:22 +0700 From: Victor Sudakov <sudakov@sibptus.tomsk.ru> To: freebsd-questions@freebsd.org Subject: Re: keep-state and divert Message-ID: <20090402105122.GA44002@admin.sibptus.tomsk.ru> In-Reply-To: <gr200i$53e$1@ger.gmane.org> References: <20090402055113.GA35989@admin.sibptus.tomsk.ru> <gr1qmf$kr1$1@ger.gmane.org> <20090402084319.GB40576@admin.sibptus.tomsk.ru> <gr200i$53e$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Powell wrote: > > > > With my example ruleset below, where would you put the keep-state > > option? > > > > > > 00100 divert 8668 ip from any to table(1) out via rl0 > > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 > > 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0 > > 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0 > > > > 00500 divert 8668 ip from table(1) to any in via rl0 > > 00600 check-state > ^^^^^^^^^^^ > Yes - the check-state line is required first in order to make use of the > keep-state line later in the ruleset. > > 00650 allow ip from table(1) to any in via rl0 keep-state It should be "out" here, not "in", because I want to permit outbound traffic and corresponding return traffic. You might think of something like 650 allow ip from any to table(1) out via rl0 keep-state However, if we place the "keep-state" rule at 650, only already diverted packets will reach it, and it will be useless because the src address will already have become the public one. I need a rule which would permit return traffic to the RFC1913 hosts (i.e. after dealiasing). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090402105122.GA44002>