IPFW Stateful behaviour
Prokofiev S.P.
proks at logos.uptel.net
Tue Apr 3 11:35:03 UTC 2007
Hi!
I want both staff nets to have internet access and another my networks
by dynamic rules (i.e. connections initialized by staff[12]), and to be
isolated from any: inet (if-default) and networks on this router interfaces
with varios stateless and stateful rules.
I have drawn the simplified scheme.
On Tue, 3 Apr 2007, Andrew Pantyukhin wrote:
> On 4/3/07, Prokofiev S.P. <proks at logos.uptel.net> wrote:
>>
>> Hi ALL!
>> The PF has useful state-policy option: if-bound, group-bound, floating.
>> I have found out IPFW stateful rules do not become attached to the
>> interface
>> and behave as PF stateful rules in floating mode.
>> For example, I build stateful rules (29991,31991) on two interfaces for two
>> different networks. I send a packet "pkt" from a network net_staff1 to a
>> network net_staff2. It creates stateful rule on enter if1, then it gets
>> access
>> to the net_staff2 on output from the if2 by a keep-state 31991 rule.
>> Deny rule 31995 does not work.
>>
>> Has solved this problem by tag and skipto (29990,31990), but it is not
>> absolutely beautiful.
>> Whether other decisions are possible?
>
> I'm still not sure what's your goal. If you want both
> staff nets to have internet access, and to be isolated
> from each other then allow
> "out recv if-staff[12] xmit if-inet"
> and deny everything else.
>
More information about the freebsd-net
mailing list