Date: Sat, 12 Sep 2009 21:51:04 +0800 From: Cypher Wu <cypher.w@gmail.com> To: Luigi Rizzo <rizzo@iet.unipi.it> Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules Message-ID: <f9f38a550909120651t49362b93m83f08e862adc63cb@mail.gmail.com> In-Reply-To: <20090912130913.GA46135@onelab2.iet.unipi.it> References: <f9f38a550909120032k2572fd3y30a1a5e5d0b457cd@mail.gmail.com> <20090912130913.GA46135@onelab2.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
It's seems fine, but I still have some questions: 1. The endpoint will response to the keepalive TCP segment and the destination will be the other endpoint, will IPFW just let it though like the usual IP packet, or try to figure it out and drop it? 2. If I have two computer I can make sure both end are not using keepalive, then I can still figure out there is a firewall between these two computers? On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo <rizzo@iet.unipi.it> wrote: > On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: >> I want to build a transparent firewall based on IPFW. For static rules >> this is fine, but for dynamic rules, ipfw uses keepalive packet to >> avoid deleting a dynamic rule that both ends are still alive but don't >> issue any traffic for a long time. But this means the firewall should >> have it's own IPs and is not transparent anymore. > > keepalives carry the addresses of the two endpoints, > the firewall is not visible. > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f9f38a550909120651t49362b93m83f08e862adc63cb>