IPFW Stateful behaviour
Andrew Pantyukhin
infofarmer at FreeBSD.org
Tue Apr 3 10:11:43 UTC 2007
On 4/3/07, Prokofiev S.P. <proks at logos.uptel.net> wrote:
>
> Hi ALL!
> The PF has useful state-policy option: if-bound, group-bound, floating.
> I have found out IPFW stateful rules do not become attached to the interface
> and behave as PF stateful rules in floating mode.
> For example, I build stateful rules (29991,31991) on two interfaces for two
> different networks. I send a packet "pkt" from a network net_staff1 to a
> network net_staff2. It creates stateful rule on enter if1, then it gets access
> to the net_staff2 on output from the if2 by a keep-state 31991 rule.
> Deny rule 31995 does not work.
>
> Has solved this problem by tag and skipto (29990,31990), but it is not
> absolutely beautiful.
> Whether other decisions are possible?
I'm still not sure what's your goal. If you want both
staff nets to have internet access, and to be isolated
from each other then allow
"out recv if-staff[12] xmit if-inet"
and deny everything else.
More information about the freebsd-net
mailing list