From owner-freebsd-ipfw@FreeBSD.ORG Sat Sep 12 13:51:04 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E02D4106566C for ; Sat, 12 Sep 2009 13:51:04 +0000 (UTC) (envelope-from cypher.w@gmail.com) Received: from mail-px0-f179.google.com (mail-px0-f179.google.com [209.85.216.179]) by mx1.freebsd.org (Postfix) with ESMTP id B71408FC14 for ; Sat, 12 Sep 2009 13:51:04 +0000 (UTC) Received: by pxi9 with SMTP id 9so1628208pxi.14 for ; Sat, 12 Sep 2009 06:51:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Wh/g6dCE1HPRFhFefkEK7ILT00Z3lK5vTK1qZaUvxKI=; b=uF4GhtytLjZ3/9GPCL2dMPOYvdEP0XwvI2YxD4roqNrxHs6whTy0GJVQIPSVD8vtQa L6eFkM/8urbkshygHOZWmn2bZGdZdqTWvmTheczmRExmou5/5pdkW6YVxWuJ8UKLSYHH 3cM1E6hBG0U0tbxP8TFQP6Ggd13osBfIW+dAc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GZ15JHkbbE4GyVEYVejje5Nd0EtWXBHxgdkvJVE4NGw3YU6d278qzG6sAG2CooEwFO ziHbMKnVmz6us9FWTiYndJWHip5Du1t2zQbcuiAwqtQ6RUw1fcSS+odTBpUWjb9UprRD zx2qTxkCVg1N2AqzQbV2eucRjAnAlQre4efQ4= MIME-Version: 1.0 Received: by 10.142.195.7 with SMTP id s7mr363326wff.293.1252763464438; Sat, 12 Sep 2009 06:51:04 -0700 (PDT) In-Reply-To: <20090912130913.GA46135@onelab2.iet.unipi.it> References: <20090912130913.GA46135@onelab2.iet.unipi.it> Date: Sat, 12 Sep 2009 21:51:04 +0800 Message-ID: From: Cypher Wu To: Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ipfw@freebsd.org Subject: Re: Transparent firewall & Dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Sep 2009 13:51:05 -0000 It's seems fine, but I still have some questions: 1. The endpoint will response to the keepalive TCP segment and the destination will be the other endpoint, will IPFW just let it though like the usual IP packet, or try to figure it out and drop it? 2. If I have two computer I can make sure both end are not using keepalive, then I can still figure out there is a firewall between these two computers? On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo wrote: > On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: >> I want to build a transparent firewall based on IPFW. For static rules >> this is fine, but for dynamic rules, ipfw uses keepalive packet to >> avoid deleting a dynamic rule that both ends are still alive but don't >> issue any traffic for a long time. But this means the firewall should >> have it's own IPs and is not transparent anymore. > > keepalives carry the addresses of the two endpoints, > the firewall is not visible. > >