-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 08:13, Julian Elischer wrote:
> yes I think "keep-state" should be deprecated and replaced or
> supplemented by 'save_state' that does NOT do an implicit
> 'check-state'.. I don't know whose idea that was but it's just
> wrong. (if
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 19:55, Lev Serebryakov wrote:
>> Ok, "allow-state"/"deny-state" was very limited idea. Here is
>> more universal mechanism: new "keep-state-only" (aliased as
>> "record-only") option, which works exactly as "keep-state" BUT
>> cancel
*Cool, But maybe not all people are following this topic, so can you please
simplify it by answering below question in order to allow more people to
know what is going on here.*
*What kind of problem you are facing and how does your patch resolve it?*
On 4 February 2015 at 17:24, Lev Serebryako
On 4/02/2015 4:38 PM, Julian Elischer wrote:
> On 2/4/15 1:32 PM, Julian Elischer wrote:
>> On 2/4/15 12:13 AM, Lev Serebryakov wrote:
>>>
>>> And variants with multiple NATs and "nat global" becomes as easy as
>>> this, too! No stupid "skipto", no "keep-state" at "incoming from local
>>> network
On 2/4/15 5:24 PM, Lev Serebryakov wrote:
--
Re-installation of state (with second, third, etc... packet of
connection) should update TCP state of state (sorry!), or it will die
in 10 seconds.
This version seems to be final (apart from name of new option!).
It works perfectly on my route
On 2/4/15 5:22 PM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 08:13, Julian Elischer wrote:
yes I think "keep-state" should be deprecated and replaced or
supplemented by 'save_state' that does NOT do an implicit
'check-state'.. I don't know whose idea
On 2/4/15 6:08 PM, bycn82 wrote:
/Cool,
But maybe not all people are following this topic, so can you please
simplify it by answering below question in order to allow more
people to know what is going on here.
/
/What kind of problem you are facing and how does your patch resolve it?
/
le
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 14:11, Julian Elischer wrote:
> On 2/4/15 5:22 PM, Lev Serebryakov wrote: On 04.02.2015 08:13,
> Julian Elischer wrote:
>
yes I think "keep-state" should be deprecated and replaced
or supplemented by 'save_state' that does N
On Wed, 4 Feb 2015 19:121:46 +, Julian Elischer wrote:
> On 2/4/15 5:22 PM, Lev Serebryakov wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> >
> > On 04.02.2015 08:13, Julian Elischer wrote:
> >
> > > yes I think "keep-state" should be deprecated and replaced or
> > >
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 15:34, Ian Smith wrote:
> I don't get this .. we're always working on just one packet at any
> time, either inbound or outbound (to kernel), so how can
> check_state (or the check also on keep-state) apply to any other
> packets than t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 16:03, Lev Serebryakov wrote:
> To be honest, I want add not only "keep-state-only" (pure (1)),
> but, also have "keep-state-do-action-no-check" to have (1) + (3)
> without (2).
Ideally, here should not be implicit "check-state" at al
The possible issue is is that once NAT changes the IP address and
possibly the port number, state tracking can no longer be applied.
AKA, the packet headers before the NAT is different than the packet
headers after. This is why NAT needs to track the state instead of
ipfw.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 04.02.2015 18:13, Jason Lewis wrote:
> The possible issue is is that once NAT changes the IP address and
> possibly the port number, state tracking can no longer be applied.
> AKA, the packet headers before the NAT is different than the
> packe
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Looks like, there is no "freebsd-ipfw" mailing list from
Phabricator's point of view.
Please, review & comment!
https://reviews.freebsd.org/D1776
- --
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
iQJ8BAEB
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
I have such rules in my firewall:
nat 9 config redirect_port tcp 192.168.134.2:16881 16881 redirect_port
udp 192.158.134.2:16881 16881 redirect_port tcp 192.168.134.2:22 2
nat 1 config ip $EXT_IP same_ports
...
// Packets from outer world
110
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 05.02.2015 01:16, Lev Serebryakov wrote:
> nat 9 config redirect_port tcp 192.168.134.2:16881 16881
> redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp
> 192.168.134.2:22 2
Also, if I add "log" to this config:
nat 9 config log r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 05.02.2015 01:16, Lev Serebryakov wrote:
> I have such rules in my firewall:
>
> nat 9 config redirect_port tcp 192.168.134.2:16881 16881
> redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp
> 192.168.134.2:22 2
>
> nat 1 config
On Thu, 5 Feb 2015 02:14:41 +0300, Lev Serebryakov wrote:
> On 05.02.2015 01:16, Lev Serebryakov wrote:
>
> > I have such rules in my firewall:
> >
> > nat 9 config redirect_port tcp 192.168.134.2:16881 16881
> > redirect_port udp 192.158.134.2:16881 16881 redirect_port tcp
> > 192.168.134
18 matches
Mail list logo
