Date: Fri, 21 Dec 2001 22:13:35 -0800 (PST) From: Vincent Chen <vctw@yahoo.com> To: freebsd-ipfw@freebsd.org Subject: stateful inspection Message-ID: <20011222061335.80665.qmail@web20003.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Dear all, I need your help to implement stateful firewall. I am using ipfw to filter packet and ipfilter to provide NAT and redirect service. My firewall has the following rules: 02500 check-state 02510 deny tcp from any to any established 03000 allow tcp from 10.1.2.0/24 to any keep-state in recv ed0 setup 03100 allow tcp from 61.223.8.248 to any keep-state out xmit tun0 setup 10.1.2.0/24 is my private subnet 61.223.8.248 is my DSL IP When I open a TCP connection from inside, rule 3000 and 3100 will create 2 dynamic rules. Rule 3100 will expire soon after some TCP connection is open,telnet is am example. Dynamic rule created by rule 3000 remains, but the incoming packet deny by firewall due to dynamic rule created by rule 3100 is missing. How can I solve this problem? BTW: I read articles in manual page and maillist discussion. But still confused. During the connection to be established, Do we have syn + ( syn + ack ) + ( syn + ack ), max. 660s to create a dynamic rule successfully? After connection established, how much time do we have to transmit data before dynamic rule expire? Will this tcp session be kept alive if net.inet.tcp.always_keepalive=1? Thanks for your help, I really like to have this feature work. Vincent Chen Thanks, Vincent Chen __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011222061335.80665.qmail>