Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 12 Sep 2009 21:51:04 +0800
From:      Cypher Wu <cypher.w@gmail.com>
To:        Luigi Rizzo <rizzo@iet.unipi.it>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: Transparent firewall & Dynamic rules
Message-ID:  <f9f38a550909120651t49362b93m83f08e862adc63cb@mail.gmail.com>
In-Reply-To: <20090912130913.GA46135@onelab2.iet.unipi.it>
References:  <f9f38a550909120032k2572fd3y30a1a5e5d0b457cd@mail.gmail.com> <20090912130913.GA46135@onelab2.iet.unipi.it>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
It's seems fine, but I still have some questions:
1. The endpoint will response to the keepalive TCP segment and the
destination will be the other endpoint, will IPFW just let it though
like the usual IP packet, or try to figure it out and drop it?
2. If I have two computer I can make sure both end are not using
keepalive, then I can still figure out there is a firewall between
these two computers?


On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote:
> On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote:
>> I want to build a transparent firewall based on IPFW. For static rules
>> this is fine, but for dynamic rules, ipfw uses keepalive packet to
>> avoid deleting a dynamic rule that both ends are still alive but don't
>> issue any traffic for a long time. But this means the firewall should
>> have it's own IPs and is not transparent anymore.
>
> keepalives carry the addresses of the two endpoints,
> the firewall is not visible.
>
>



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?f9f38a550909120651t49362b93m83f08e862adc63cb>