Hi ALL!
The PF has useful state-policy option: if-bound, group-bound, floating.
I have found out IPFW stateful rules do not become attached to the interface
and behave as PF stateful rules in floating mode.
For example, I build stateful rules (29991,31991) on two interfaces for two
different networks. I send a packet "pkt" from a network net_staff1 to a
network net_staff2. It creates stateful rule on enter if1, then it gets access
to the net_staff2 on output from the if2 by a keep-state 31991 rule.
Deny rule 31995 does not work.
Has solved this problem by tag and skipto (29990,31990), but it is not
absolutely beautiful.
Whether other decisions are possible?
+-----------------+
| if1 O----net_staff1
| |-----<----pkt
----INET---O if0 |
| |----->---->
| if2 O----net_staff2
+-----------------+
ipfw add skipto 29000 ip from any to any via $if1
ipfw add skipto 31000 ip from any to any via $if2
############## IF1 29000
N_DA=29995
ipfw add 29990 skipto $N_DA log ip from any to any via $if1 tagged 65534 //
bypass another stateful
ipfw add 29991 allow tag 65534 log ip from $net_staff1 to any via $if1 in
keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff1 via $if1 out
ipfw add 29999 skipto 65000 ip from any to any via $if1
############## IF2 31000
N_DA=31995
ipfw add 31990 skipto $N_DA log ip from any to any via $if2 tagged 65534 //
bypass another stateful
ipfw add 31991 allow tag 65534 log ip from $net_staff2 to any via $if2 in
keep-state // stateful
ipfw add $N_DA deny log ip from any to $net_staff2 via $if2 out
ipfw add 31999 skipto 65000 ip from any to any via $if2
Sorry for my English.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
