Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Feb 2005 00:43:18 +0100
From:      Max Laier <max@love2party.net>
To:        freebsd-ipfw@freebsd.org
Cc:        Chris Dionissopoulos <dionch@freemail.gr>
Subject:   Re: Sticky pf(4)-like feature in ipfw?
Message-ID:  <200502090043.30704.max@love2party.net>
In-Reply-To: <20050208150150.C28282@xorpc.icir.org>
References:  <000a01c50df5$4a4435e0$3c00000a@R3B> <20050208150150.C28282@xorpc.icir.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
--nextPart36976067.LvBGxLmmto
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 09 February 2005 00:01, Luigi Rizzo wrote:
> the 'state only based on the 3-tuple' as you describe it
> is certainly an interesting feature. It is slightly more expensive
> to implement than what i thought at first, because you should
> do two hash computations and lookups (one on the 5-tuple, one
> on the 3-tuple) on each packet trying to match a dynamic rule.
>
> i just wonder why it is named 'sticky' in pf
> which is not really very indicative of what the function does.

It's actually called "sticky-address" and applies to all rules that select=
=20
addresses from a pool.  It is called that way as things work a bit differen=
t=20
in PF.  You'd have a forwarding rule that selects addresses from a pool as=
=20
equivalent to the "prob .5 skip-to" in IPFW.  The state matching isn't=20
affected at all (i.e. if you do stateful matching PF still performs 5-tuple=
=20
matching).  The "sticky-address" option on the pool, however, ensures that=
=20
the next time a certain client needs to be forwarded it gets the same=20
translation address.

As you said, you have to be careful with only 3-tuple states as it might op=
en=20
to injection attacks and thus allow evildoers to bypass the firewall.

> 	cheers
> 	luigi
>
> On Tue, Feb 08, 2005 at 05:45:59PM +0200, Chris Dionissopoulos wrote:
> > Hi,
> > I think of adding a new feature in (my local copy) ipfw (releng5) so th=
at
> > it makes also sticky match when forwarding broken protocols like ftp,
> > h.323, sip, etc.
> > Its inspired from pf(4) sticky feature as is.The general usage will be
> > for "skipto" forwarding rules as shown in example below:
> >
> > Network ASCII-ART:
> >
> > Gateway1   Gateway2
> >
> > ---------------- 192.168.1.0/24
> >
> > [Freebsd-ipfw]
> >
> > ---------------- 192.168.3.0/24
> >
> > ipfw.sh:
> > ~~~~~~~~~~~~~~~~~~~~~~
> > #!/bin/sh
> > fwcmd=3D"/sbin/ipfw"
> > pass=3D"skipto 65535"
> >
> > gateway_mac1 =3D"00:0e:2e:03:36:23"
> > gateway_mac2 =3D"00:0e:2e:03:37:23"
> > gateway1=3D"192.168.1.2"
> > gateway2 =3D"192.168.1.1"
> >
> > lan_network =3D "192.168.3.0/24"
> > broken=3D"20,21,1720,6667,4600-4700"
> >
> > #CHECK STATES.
> > ${fwcmd} add 100 check-state
> >
> > # INCOMING TRAFFIC
> > ${fwcmd} add 1100 skipto 10100 ip from any to any mac any
> > ${gateway_mac1}in recv rl0 keep-state
> > ${fwcmd} add 1200 skipto 10200 ip from any to any mac any
> > ${gateway_mac1}in recv rl0 keep-state
> >
> > #OUTGOING + NOT-YET-STATED PACKETS BROKEN PROTOCOLS [LB 50%-50%]
> > ${fwcmd} add 2000 prob 0.5 skipto 10101 tcp from ${lan_network}to not
> > ${lan_network} dst-port ${broken} in recv rl1 keep-sticky
> > ${fwcmd} add 2001 skipto 10201 tcp from ${lan_network}to not
> > ${lan_network}dst-port ${broken} in recv rl1 keep-sticky
> >
> > #OUTGOING  + NOT-YET-STATED PACKETS (BALANCE) [LB 50%-50%]
> > ${fwcmd} add 2100 prob 0.5 skipto 10101 ip from ${lan_network}to not
> > ${lan_network}in recv rl1 keep-state
> > ${fwcmd} add 2101 skipto 10201 ip from ${lan_network}to not
> > ${lan_network}in recv rl1 keep-state
> >
> > #DRIVE OUTGOING TRAFFIC TO GATEWAY1. JUST PASS OTHER
> > ${fwcmd} add 10100 fwd ${gateway1} ip from ${lan_network} to not
> > ${lan_network} in recv rl1
> > ${fwcmd} add 10110 ${pass} ip from any to any
> >
> > #DRIVE OUTGOING TRAFFIC TO GATEWAY2. JUST PASS OTHER
> > ${fwcmd} add 10200 fwd ${gateway2} ip from ${lan_network} to not
> > ${lan_network} in recv rl1
> > ${fwcmd} add 10210 ${pass} ip from any to any
> >
> > ~~~~~~~~~~~~~~~~~~~~~~
> >
> >
> > "keep-sticky" main difference with "keep-state" is just relaxed state
> > matching
> > using only proto+(src_ip+dst_ip) and proto+reversed(src_ip+dst_ip), and
> > not (scr_ip:src_port + dst_ip:dst_port) straight and reversed
> > (=3Dkeep-state/limit).
> >
> > My question :
> > Does anyone has already working on such feature?
> > Cause its pretty easy to implement(*) "keep-sticky", does any of
> > ipfw developers planning to add such feature in near future?
> >
> >
> > Thanks,
> > Chris.
> >
> >
> > (*)
> > 1.  TOK_KEEPSTICKY in  /usr/src/sbin/ipfw/ipfw2.c
> >     O_KEEP_STICKY in /usr/src/sys/netinet/ip_fw.h
> >     and copy TOK_KEEPSTATE+O_KEEPSTATE code
> >     as a new case of cmd+rule argument.
> > 2. Some changes in "lookup_dyn_rule_locked" function of
> > /usr/src/sys/netinet/ip_fw2.c to make a more relaxed state
> > when "keep-sticky" is enabled.
> >
> >
> >
> >
> >
> >
> >
> > ____________________________________________________________________
> > http://www.freemail.gr - dwrean upyresia ylektronikou taxudromeiou.
> > http://www.freemail.gr - free email service for the Greek-speaking.
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart36976067.LvBGxLmmto
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQBCCU6iXyyEoT62BG0RArV4AJ9vT6QQOpEKXqeI2UiKkT3HnCh7FwCeOEVZ
ZvZRffmYLbqIPQXJfxn7qGg=
=RFGJ
-----END PGP SIGNATURE-----

--nextPart36976067.LvBGxLmmto--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200502090043.30704.max>