keep-state and divert
Victor Sudakov
sudakov at sibptus.tomsk.ru
Thu Apr 2 03:51:25 PDT 2009
Michael Powell wrote:
> >
> > With my example ruleset below, where would you put the keep-state
> > option?
> >
> >
> > 00100 divert 8668 ip from any to table(1) out via rl0
> > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> > 00300 deny log logamount 100 ip from 172.16.0.0/12 to any out via rl0
> > 00400 deny log logamount 100 ip from 192.168.0.0/16 to any out via rl0
> >
> > 00500 divert 8668 ip from table(1) to any in via rl0
> > 00600 check-state
> ^^^^^^^^^^^
> Yes - the check-state line is required first in order to make use of the
> keep-state line later in the ruleset.
>
> 00650 allow ip from table(1) to any in via rl0 keep-state
It should be "out" here, not "in", because I want to permit outbound
traffic and corresponding return traffic. You might think of something like
650 allow ip from any to table(1) out via rl0 keep-state
However, if we place the "keep-state" rule at 650, only already
diverted packets will reach it, and it will be useless because the src
address will already have become the public one. I need a rule which
would permit return traffic to the RFC1913 hosts (i.e. after
dealiasing).
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list