Date: Wed, 29 Jul 2015 22:23:45 +0800 From: bycn82 <bycn82@gmail.com> To: Julian Elischer <julian@freebsd.org> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: keep-state and in-kernel NAT exposes local ip on external interface Message-ID: <CAC%2BJH2yYuJ92=zZ8%2BrEMh8ofSyPSyGVa6_VdcZ1eKSkmtHrfzQ@mail.gmail.com> In-Reply-To: <55B8DD3D.1030900@freebsd.org> References: <1435692039.18121.12.camel@yahoo.com> <5594395D.6050103@FreeBSD.org> <20150728150845.V17327@sola.nimnet.asn.au> <55B7DB52.7010504@FreeBSD.org> <55B8833B.3030205@freebsd.org> <CAC%2BJH2ybB_9W-okDbdvERRq=VE_9cAENj=rJDyky3OAAN--19Q@mail.gmail.com> <55B8DD3D.1030900@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
*Hi,*
*But I dont understand why you said C->D is already in the dynamic table?
which line create the dynamic rule for it?*
*Regards,*
*bycn82*
On 29 July 2015 at 22:03, Julian Elischer <julian@freebsd.org> wrote:
> On 7/29/15 5:26 PM, bycn82 wrote:
>
> *Hi Julian,*
>
> *So below are the rules in your example*
>
>
> *5 skipto 10 from A to B *
> *6 skipto 11 from any to any*
> *10{action} from A to B keep-state*
> *11{action} from C to D*
>
>
> *If I remove the "skipto" rules they will become*
>
> *10 {action} from A to B keep-state*
> *11 {action} from C to D *
>
> *Correct me if I was wrong, but in my opinion, the rule 5 and 10 are
> almost the same, so I dont see the benefit by introducing the "skipto"
> rulees. **IMHO, the "check-state" is to speed-up some selected packets,
> it will slow-down all other unexpected packets at the same time.*
>
>
>
>
> *so because C -D is already in the dynamic table it triggers on 10 and
> never reaches 11. see? you fell for it too. *
>
>
> *Regards,*
> *bycn82*
>
>
>
>
> On 29 July 2015 at 15:39, Julian Elischer <julian@freebsd.org> wrote:
>
>> On 7/29/15 3:43 AM, Lev Serebryakov wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> On 28.07.2015 08:30, Ian Smith wrote:
>>>
>>> I have global lack of any spare time (and all my FreeBSD activity is
>>> only a hobby) for last ~2 months. I see the end of this unfortunate
>>> state of affairs in near future and I remember about these examples.
>>>
>>>
>>>> there are some simple examples of things this patch addresses..
>> For example in the current code, the following (extemely simplified) set
>> of
>> rules will not do what you would think when you are working with a tcp
>> session from A to B and another from C to D *which has previously been**
>> **accepted with a keep-state at some other point in the ruleset*
>>
>>
>> 10 {any action} from A to B keep-state
>> 20 {any action} tcp from C to D
>>
>> because despite the fact that you are only triggering on a 'setup' packet
>> for A to B, any rule
>> that includes "keep-state" does a "check-state" implicitly.
>> so the packet from C to D never gets past rule 10.
>> the only way you can do this is to prefix rule 10 by something like
>>
>> 5 skipto 10 from A to B
>> 6 skipto 11 from any to any
>>
>> to make sure packets that are not A to B do not hit the hidden
>> 'check-state' .
>>
>> this is a very simple example and yes there are ways to get around it,
>> but it complicates the ruleset and increases errors
>>
>> that reminds me I'd also like to be able to put a "not" at the
>> front of the rule matching to negate the whole test but it doesn't seem
>> to like that.
>>
>>
>>
>>
>> _______________________________________________
>> freebsd-ipfw@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>>
>
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAC%2BJH2yYuJ92=zZ8%2BrEMh8ofSyPSyGVa6_VdcZ1eKSkmtHrfzQ>