On 2/4/15 12:13 AM, Lev Serebryakov wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Ok, "allow-state"/"deny-state" was very limited idea.
Here is more universal mechanism: new "keep-state-only" (aliased as
"record-only") option, which works exactly as "keep-state" BUT cancel
match of rule after state creation. It allows to write stateful + nat
firewall as easy as:
nat 1 config if outIface
1000 skipto 2000 in
skipto 3000 out
deny all from any to any // Safeguard
2000 skipto 4000 recv inIface
skipto 6000 recv outIface
deny all from any to any // Safeguard
3000 skipto 5000 xmit inIface
skipto 7000 xmit outIface
deny all from any to any // Safeguard
4000 // For sake of simplicity!
// Real firewall will have some checks about local network here
allow all from any to any
deny all from any to any // Safeguard
5000 // For sake of simplicity!
// Real firewall will have some checks about local network here
allow all from any to any
deny all from any to any // Safeguard
6000 deny all not dst-ip $EXT_IP
nat 1 all from any to any
// All enabled with "keep-state-only" at block 7000 before NAT
check-state all from any to any
// Here could be accept rules for our servers or servers in DMZ
// Disable everything else
deny all from any to any
7000 // Here goes rules which could DISABLE outbound external traffic
// Create state for "check-state" at block 6000 and fallthrough
allow keep-state-only
allow src-ip $EXT_IP // Save NAT some work
nat 1 all from any to any
allow all from any to any
deny all from any to any // Safeguard
And variants with multiple NATs and "nat global" becomes as easy as
this, too! No stupid "skipto", no "keep-state" at "incoming from local
network" parts of firewall, nothing!
P.S. I HATE this "all any to any" part!
can we get rid of it? (implied).. or just add "everything"
also I am not sure about "keep-state-only"..
how about 'set-state'? or record-state as I started with..
- --
// Lev Serebryakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEBCgBmBQJU0POaXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePR+gP/1Oxi+h7pi0UlnqfrKyfHJRS
FUbrMNeR9NATnTwxIK1UxNT1kF3m7wiwnFlgwW7rwLtTviFB1wK/pfd38l2h4t/w
qUbtyK4PFMCq8I6wAJIB0qUl3C/mN1rwc+LSJJyFM07R52snoQs6FvkIYkCz0fOy
Cak1f/P+scc21IRhFvYJXMMDO/1Y1nkxZk/HdHbn1GELpTXuHugvL1T9hHl98sqO
HKlHnvtqAVlyZn9Sv3uC9nsyjFA2sdOCtb67UGnPDV3CIs4Jwj5CSst5jbz13qFG
aXF8ZSm0coPJMUjH1PSogZM9Xiq23yZ47V0mesBxQsHL24548jM/wKcsR3buDjP7
NJ2rqo2OBCzTu6VCK2oIY5j9A6vq1mu8+/eBs5jF4C2k0xHiw53Okou7zOCA0gJ+
z+VGZvD3la/+tFjacty7Ra7LLNA8kNCnRa0QML7LOJ1/99a4l3Z/uGFxy5zYnk7d
p27Y85CAhTJQjkYZSGAiFD5SE4XxRqtSJ9OL89w7vLxoHqW0rqwi+DVrr9uvXQZS
8Z5G5iQARG4ygXuKsl6MlwChCXa3ucbOs41lorrug94cuVCwGg859zBZY3dpQsKz
XIhtVQS21wPLxXywzIc678ar4uKVWNiaRWg+k57O7375gAszvqujRuTEcfHRf/T+
gHJJZt8Tc+en4bw8XItY
=wOAJ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
