From owner-freebsd-ipfw  Fri Dec 21 22:13:40 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from web20003.mail.yahoo.com (web20003.mail.yahoo.com [216.136.225.48])
	by hub.freebsd.org (Postfix) with SMTP id 372AD37B405
	for <freebsd-ipfw@freebsd.org>; Fri, 21 Dec 2001 22:13:36 -0800 (PST)
Message-ID: <20011222061335.80665.qmail@web20003.mail.yahoo.com>
Received: from [61.223.8.248] by web20003.mail.yahoo.com via HTTP; Fri, 21 Dec 2001 22:13:35 PST
Date: Fri, 21 Dec 2001 22:13:35 -0800 (PST)
From: Vincent Chen <vctw@yahoo.com>
Subject: stateful inspection
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG


Dear all,

I need your help to implement stateful firewall. I am
using ipfw to filter packet and ipfilter to provide
NAT and redirect service. My firewall has the
following rules:

02500 check-state
02510 deny tcp from any to any established
03000 allow tcp from 10.1.2.0/24 to any keep-state in
recv ed0 setup
03100 allow tcp from 61.223.8.248 to any keep-state
out xmit tun0 setup

10.1.2.0/24 is my private subnet
61.223.8.248 is my DSL IP

When I open a TCP connection from inside, rule 3000
and 3100 will create 2 dynamic rules. Rule 3100 will
expire soon after some TCP connection is open,telnet
is am example. Dynamic rule created by rule 3000
remains, but the incoming packet deny by firewall due
to dynamic rule created by rule 3100 is missing. How
can I solve this problem?

BTW: I read articles in manual page and maillist
discussion. But still confused. During the connection
to be established, Do we have syn + ( syn + ack ) + (
syn + ack ), max. 660s to create a dynamic rule
successfully? After connection established, how much
time do we have to transmit data before dynamic rule
expire? Will this tcp session be kept alive if
net.inet.tcp.always_keepalive=1?


Thanks for your help, I really like to have this
feature work.


Vincent Chen


Thanks,

Vincent Chen

  

__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message