keep-state and divert
Paul A Procacci
pprocacci at datapipe.net
Thu Apr 2 00:32:09 PDT 2009
Victor Sudakov wrote:
> Colleagues,
>
> I have read some recommendations on combining a stateful firewall with divert,
> e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
>
> Do I understand correctly that it is (mathematically?) impossible to
> use the two together without also using "skipto"?
>
> If we consider a simple example below, how would you replace the 600th
> rule for a stateful one?
>
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
>
> 00500 divert 8668 ip from table(1) to any in via rl0
> 00600 allow ip from table(1) to any in via rl0
> 00700 deny log logamount 100 ip from any to 10.0.0.0/8 in via rl0
> 00800 deny log logamount 100 ip from any to 172.16.0.0/12 in via rl0
> 00900 deny log logamount 100 ip from any to 192.168.0.0/16 in via rl0
>
> 65535 allow ip from any to any
>
> Thank you in advance for any input.
>
>
Hopefully you don't mind a response which provides a fully functioning
firewall ruleset. It's by no means complete, but should give you the
answer to your question.
http://procacci.me/ipfw.conf
This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you.
More information about the freebsd-questions
mailing list