Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 08:13, Julian Elischer wrote:

 yes I think keep-state should be deprecated and replaced or 
 supplemented by 'save_state'  that does NOT do an implicit 
 'check-state'.. I don't know whose idea that was but it's just
 wrong. (if the state exists, maybe just replace it..)
  Update, not replace :)
  See my Version-3 patch for record-state :)

- -- 
// Lev Serebryakov AKA Black Lion
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0eTUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePoS0P/iCMeTo+fFA4iGwe/8FnlF+y
899fomt4tzOBppxg1r5/xx11OMB9DJ6VG1z8+61gzIg1jgxvAIBTBGz5oxIgyfv5
mtbEbfhsxsABYTASjwIQymxR1zvLCbyd7fWgDRhM8YJYEy/akWNzOwtbokrkK1Ww
3j2IODup3onYr5LhwoQZGPdtmIyH10rnEcs49IWUs1ZweWlJx7XRQOGBAepTQRx9
bh/D0owV1j9BBzyqd5n54aXiQpMKMIdOihmNOOUYhl0B3GksacWguV7Keabbv0Dh
Nnk3g/GrBYJPdmF0JqkocjrGxSuWAwBXfdXg3SoG8l1dPqaDg8UNVXq7VthS7FKO
8jyoRXaptbcrTjgG0SHdfnSzbhpLj78/PdGi1VvJwrvjnK2MNb6dZ2PE3E88ScgM
f7OIOef9GyLwgAPqn6TJeiC7Oddvq+vL1vEigqLMJscJ4ErwqX8RVidbkYdNmKCf
HYSd9mSJgkAMUH7q2U5PCRY9Ay6BOkuGHEqvMHGFClqBWb81RTyT8ZR+BL+JeqRr
QNilMWvUXJSGEcvMYijKiv2EVDB6by3sY2SK9KLa93H0jY1nR3XPpilpyLcHLzN9
5aVknqR2/TzFDS1BiSEg/wYipyqjgIyHTqqxj0Vd0pnZMSw3AqdrOSLz8mHJzXKp
3J8Y7Lw7fuM1N8Doq2Md
=/M0i
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 15:34, Ian Smith wrote:

 I don't get this .. we're always working on just one packet at any
 time, either inbound or outbound (to kernel), so how can
 check_state (or the check also on keep-state) apply to any other
 packets than that one?
  Simply enough: assume packet goes from internal network (in recv
em0, say) to external one, (out xmit em1). It passes firewall
twice, really. In ip_input() (it is matched by in) and ip_output()
(it is matched by out).

 Say, we have keep-state for this packet when it is in as last
action, something like allow keep-state to have this state to check
answer packet in recv em1 (note, em1 here) appropriately.

 And in out section we could have OTHER keep-state rule, for
locally originated packets (which never pass through as in ones). Of
course, this, second, keep-state is equipped with additional
conditions like src-ip me.

 Now, our transit packet creates state in in section and is passed
to out section. And it triggers this state on src-ip me keep-state
rule! It doesn't belong to this rule! But doesn't pass conditions of
this rule! It SHOULD NOT BE AFFECTED by this rule, match failed, try
next one! But -BANG-! keep-state has implicit UNCONDITIONAL
check-state! So, we need additional stupid skipto like this:

XXX skipto ZZZ not src-ip me
YYY allow src-ip me keep-state
ZZZ nat 1 // out

 To me, it is stupid, contra-intuitive, non-orthogonal and bad design.

 I think, there is THREE DIFFERENT things:

(1) Creation/updating of state, with normal condition checks on packet.
(2) Checking packet against state table, updating state, performing
action (if appropriate state is found, of course).
(3) Performing action WHEN state is created (not checked!)

 Now ipfw has very tangled way to do this. We have:

 (A) (2) + (1) + (3) (in this order, please, note that condition
checks are done in (1), not BEFORE this chain). It is keep-state.

 (B) (2). It is check-state

 (c) (3). It is stateless rule.

 That's all! You could not do (1) without (2). You could not do
conditional (1). You could not do (1) but not (3). Nothing!

 And if conditional (2) may be too much, but only possible to go to
(1) is via (2) and inevitable (3) after that is too much, IMHO! It is
very obscure behavior!

 To be honest, I want add not only keep-state-only (pure (1)), but,
also have keep-state-do-action-no-check to have (1) + (3) without (2).

- -- 
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0hiMXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePd60P/iTr55i4uyLfa7cf/TH9ypdt
S9iP23qGZDPo+YzjVfmcyBNWbYJ2eNfkve9DhYHoizpacqHeepnWfMxNPdSf0kLI
lZ0qYt/EtwTDCOoSx+wE/c1ywzvHUKO7k631GS/EpRbUwli5yEZnJEFwJPlEJ8WY
A3uBtPxBAn3CEiS7ps91Da260Qt3xgw4Sv99YOzY7k2etUOsj8r2EEkLG8gsH96V
Pk4udb17Kc0WygwNN7OaI1mxXaoKkd6NzZM4W0WvWy5fKgD/Rhep5hD4/oFixfsJ
HKxjYjUDrzc6/elL5GW1+OwzQ08+KziriRqBT2QMOJnso9a1yQc/5jvO1C4zol9Y
wF3ZgcMIAJKBmOdkWHPMfrhNYMutI8gPsKH063BRkHFTtTQb7yL8bysLYE1P23lM
hzl3ubZtcas7Z5kBpsAL2L0xXLReMCCTSULv0oQDitb6H4z3eUeN5iq2Sk6b0uwB
J6mZiHCYU48KU0ST4/UAnZFYX4mUFTiIfP2KzekdZ+BUNdGgdVr177EJChZxBL4M
x/In6x944pwRxCExFa10OSMzQqdOJ+IQEfS1LfG+l/A4X7Rjx87Gbb4A/3ePkkdA
HoZLACmRfFGxmWILZa8EtldUvDsOjXs+Q08rpvp2So0szcM0N5XIixDbnLEvCqFu
xn6GOWuyaJVzZlpllCV0
=ALXi
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 16:03, Lev Serebryakov wrote:

 To be honest, I want add not only keep-state-only (pure (1)),
 but, also have keep-state-do-action-no-check to have (1) + (3)
 without (2).
 Ideally, here should not be implicit check-state at all, and should
be two options to rule:

 (1) keep-state
 (2) skip-immediate-action

 So, current keep-state becomes two-rules:

 check-state all from any to any
 rule keep-state

 And all other variants are possible too, like

 rule keep-state skip-action

 and meaningless, but still possible,

 rule skip-immediate-action

 It is hard to add now in backward-compatible way, though.

 But may be... May be... I should think! It looks like doable on
second glance, and better (more flexible  orthogonal) that my current
proposal!

- -- 
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0hrdXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePGFcP/0CpmLVadnVjQqC+PLQVpT4E
cqLy5RfE4D587JeaXfoDher7J/WJj02NKJWkuhZqkvuZAVvFx5xiyl63X9yR1ASR
a8rHGkM9pa4wbQ9XA2YKlhsaVntQtmmk1/qyp9AZecX/aZl6taWualeRCPGgNSvC
lP6JdUCTelUIjlGwvsKI4Xu9ljuV59PaYh3SxLXxQSuyr5CA1ayRjT5e6Mp7SLPk
gfy38Cq7PmrwrQAtkYfcP8K9fYTpnHaKqXYKpELSIqbpKGUcB0AnloXg9u2fJbmD
Ux8lf0MvpDOiw0UfcHaypluLzU0/vuWE9EwyXe4p6GbdWjd9YXwgkbMsCWcR5lbT
KJrAo0Jk2//blLFtKNDSLHb3JpKjSQkVRE/dhNOr066m682xnloPxFPE1p1e79P8
9D4Yi/ii2CGR15tP9keNjnDEOvO5JSSD+kHH/elUyuHye++UjKKNJoDCp5JIopFr
SJ7NHYyVhlMmIMWIQeXUIRoNxblv9C5C9G2k7nBMlaxWN8VG0AKIerRyHTrEtwzt
0M9Tb6Et7dXULvqR0U+PgXvOLDo+DmmYf5cZiUCsVnLba0UwcWt7i2qWsA9KmQEE
ZqTaVz8cJSkHybQLqlGtIwMfWgh7s6XSAjaPgk0OviDNCwTs9Ry/6QRPpCnkcC5p
wsN8ML5mL59HqlkIvTxU
=gWCG
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Jason Lewis]

The possible issue is is that once NAT changes the IP address and
possibly the port number, state tracking can no longer be applied.
AKA, the packet headers before the NAT is different than the packet
headers after.  This is why NAT needs to track the state instead of
ipfw.
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Julian Elischer]

On 2/4/15 5:22 PM, Lev Serebryakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 08:13, Julian Elischer wrote:


yes I think keep-state should be deprecated and replaced or
supplemented by 'save_state'  that does NOT do an implicit
'check-state'.. I don't know whose idea that was but it's just
wrong. (if the state exists, maybe just replace it..)

   Update, not replace :)
   See my Version-3 patch for record-state :)
I meant a function that acts like 'keep-state' except it does not do a 
'check-state'.

Im suggesting adding yet-another command. a 'fixed' keep-state.

I sort of know why they did it.. so that if the state for that session 
already exists,
the original state rule is used and not the new rule. but ..it fires 
on other packets

as well as the one you are working with.




- -- 
// Lev Serebryakov AKA Black Lion

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0eTUXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePoS0P/iCMeTo+fFA4iGwe/8FnlF+y
899fomt4tzOBppxg1r5/xx11OMB9DJ6VG1z8+61gzIg1jgxvAIBTBGz5oxIgyfv5
mtbEbfhsxsABYTASjwIQymxR1zvLCbyd7fWgDRhM8YJYEy/akWNzOwtbokrkK1Ww
3j2IODup3onYr5LhwoQZGPdtmIyH10rnEcs49IWUs1ZweWlJx7XRQOGBAepTQRx9
bh/D0owV1j9BBzyqd5n54aXiQpMKMIdOihmNOOUYhl0B3GksacWguV7Keabbv0Dh
Nnk3g/GrBYJPdmF0JqkocjrGxSuWAwBXfdXg3SoG8l1dPqaDg8UNVXq7VthS7FKO
8jyoRXaptbcrTjgG0SHdfnSzbhpLj78/PdGi1VvJwrvjnK2MNb6dZ2PE3E88ScgM
f7OIOef9GyLwgAPqn6TJeiC7Oddvq+vL1vEigqLMJscJ4ErwqX8RVidbkYdNmKCf
HYSd9mSJgkAMUH7q2U5PCRY9Ay6BOkuGHEqvMHGFClqBWb81RTyT8ZR+BL+JeqRr
QNilMWvUXJSGEcvMYijKiv2EVDB6by3sY2SK9KLa93H0jY1nR3XPpilpyLcHLzN9
5aVknqR2/TzFDS1BiSEg/wYipyqjgIyHTqqxj0Vd0pnZMSw3AqdrOSLz8mHJzXKp
3J8Y7Lw7fuM1N8Doq2Md
=/M0i
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org



___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Ian Smith]

On Wed, 4 Feb 2015 19:121:46 +, Julian Elischer wrote:
  On 2/4/15 5:22 PM, Lev Serebryakov wrote:
   -BEGIN PGP SIGNED MESSAGE-
   Hash: SHA512
   
   On 04.02.2015 08:13, Julian Elischer wrote:
   
yes I think keep-state should be deprecated and replaced or
supplemented by 'save_state'  that does NOT do an implicit
'check-state'.. I don't know whose idea that was but it's just
wrong. (if the state exists, maybe just replace it..)
  Update, not replace :)
  See my Version-3 patch for record-state :)
  I meant a function that acts like 'keep-state' except it does not do a
  'check-state'.
  Im suggesting adding yet-another command. a 'fixed' keep-state.
  
  I sort of know why they did it.. so that if the state for that 
  session already exists, the original state rule is used and not the 
  new rule. but ..it fires on other packets as well as the one you are 
  working with.

I don't get this .. we're always working on just one packet at any time, 
either inbound or outbound (to kernel), so how can check_state (or the 
check also on keep-state) apply to any other packets than that one?

I've seen examples that run keep-state on the same packet both before 
and after NAT, ie state on both the internal and external addresses, 
which is even more confusing and surely inefficient too.

I'm not sure that everyone realises that it's the first check-state or 
keep-state rule _encountered_ - ie not skipped around - that matters.

A good, definitive tutorial on how to best handle stateful, NAT'd rules 
would be useful, because there are a few different theories in the wild.

Personally I only run stateful on a few types of session, and then 
always using the internal addresses, but that's just one of the ways .. 
but doing _everything_ statefully seems to be the Holy Grail to some.

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 14:11, Julian Elischer wrote:
 On 2/4/15 5:22 PM, Lev Serebryakov wrote: On 04.02.2015 08:13,
 Julian Elischer wrote:
 
 yes I think keep-state should be deprecated and replaced
 or supplemented by 'save_state'  that does NOT do an
 implicit 'check-state'.. I don't know whose idea that was but
 it's just wrong. (if the state exists, maybe just replace
 it..)
 Update, not replace :) See my Version-3 patch for record-state
 :) I meant a function that acts like 'keep-state' except it does
 not do a 'check-state'. Im suggesting adding yet-another command. a
 'fixed' keep-state.
  Yep. Maybe, additional option? Which will work only on user level
and force to skip generation of O_PROBE_STATE? Now on KERNEL level
nothing force this check, it is additional opcode, added by user-level
compiler.
  Only thing we need to make it work properly is in my last patch for
record-state: add TCP state propagation to install_state function
to make it able to update existing state properly.
  and after that you don't need any additional opcodes for
keep-but-not-check-state command/option, it will be user-level change.


 I sort of know why they did it.. so that if the state for that
 session already exists, the original state rule is used and not the
 new rule. but ..it fires on other packets as well as the one you
 are working with.
  Yep, because O_PROBE_STATE is FIRST opcode always. It is matter of
compilation.

- -- 
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0gOIXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EeP/1sQAKMgZyk3BVCXB8Q+Rmvy/D0K
YhPICBbPqUWHw35HfXG0hgw66pa/SX0G68HO2LoxurbxFtu3pdsKA3X8ok4J3Yvb
374MPQcUYFxoUmvjjWUpNMGUBBm72TPk61cjUdsWWJoYWrLJmM0UMJ2wJREvS2D6
s0hUuFGBb/OaTW8aHWY2gAwViPDxR2gQmX8Pw6XpZLxR3ZyNcMTnx78jGn+8jykM
tLxmLjlOSAw4XfsbkiG6X7CmkgyFhcN/B6cpRNB8qsLSmG6rzBup6JrAcFYRq/63
LUj8Z0azwJoHqeLBKZ7RfcfqbB9PMdMTaufBPxQVclQntERkN4nEacT4LSRd1aoL
2zEKMV+PN8X4sL3h73laURLq5lHOVuJsG73YGR1n/IPtlkeeLu1zOADjPRd/0ZY+
kOWzvE00RGhb1mt2LNpL9qZQ8oIcf0r3pYuZKmV0vT7BnQ/Pw4lMjcPyHPSJyFgR
yn2fslDvytg8e/iPvHuOm6h8t6Um3bAbV2LrW4fHSgbhMPGt/nzwuRicMoj6o+Fx
r3q+ITM54QbodBZuS0Ie7IvCNZIfYwwp27GS1lZ8lEv1lYy4kVW9B3AOZzows5XW
YWjVz4xzYd3qaTQyoNij9NFJYVx52IXoAP23PFPDhbr1OFhomGVXQCgu/KS3JHOQ
kR5C1h4iKmkjLUCmDC/P
=sqjh
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 04.02.2015 18:13, Jason Lewis wrote:

 The possible issue is is that once NAT changes the IP address and 
 possibly the port number, state tracking can no longer be applied. 
 AKA, the packet headers before the NAT is different than the
 packet headers after.  This is why NAT needs to track the state
 instead of ipfw.
 If you create state and check state on proper ends of NAT (for
example, create state for connection BEFORE out-NAT, with internal
addresses, and check it AFTER in-NAT, with internal addresses again),
it will work. But now, when state creation is terminal action AND
state checking in one box, it is hard to implement and leads to very
non-intuitive rule sets.

- -- 
// Lev Serebryakov
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0jiVXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePTnQP/2kxqyTxUSa3RBLBsoq58iL4
IeGarQ7PrTVVaBTEVzhabU0yPuORpMqrwf47nImAZQWHcQP7UUjO+VjjqDthwwe8
S3CElbPFW86HmYLB7Nz1Lhg7n0eaKG6xxDO5um/b3cWuK7B3DiU+9oW7OHICF0Xa
mk5Z9koVuAS3yuvT6PecSRgziV6HgxEKgYgNCgN+JmXWlL/H8kYUuYKBQTv1snkw
hcRLKrRp31KavH8CRiTf6uBCozS4URvr6xRSfrkjcuU9LUlvHcI6jBCm7yOAEeDH
HkcU5g5mNSK0vdJXZVmtveFADs8RrtAtovxt4FQZCjYPBhCDMRvM9IPQX8eK8tKX
8efJHb6DPIZQs+AeEhL1jeNJTu/UJRUag65Aua7TXq7jcopOMHM85aNMs6FzyqeG
eT5Epc+oZ0Zbi0RAZzqvUeQSnARPE4tGddoOK5z5YMbF0jSiHM5ftfYncOp8YvDE
uJMQAHOU4CHfuK/knzNkZ4VoD3+i+/fIiR4knNCLCe1wOvY9QmI+3iyk6JGZ4GJ9
vc7W+XCSnfuhFq5+o/8Lr+50z2qpmkJVaWoRW4DItWiHrWbx6dngL2aY8+e7TjEk
24rRQb16uYC6w3dUkNiKHMtUEaN+Zzju186jbQZpPjX6Rz4/9i2DJ6qYiZDWV28x
e5TUOek2WeiROK+VvF/2
=XfPm
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Julian Elischer]

On 2/3/15 6:23 PM, Lev Serebryakov wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03.02.2015 13:04, Ian Smith wrote:


Now to make stateful firewall with NAT you need to make some not
very readable tricks to record state (allow) of outbound
connection before NAT, but pass packet to NAT after that. I know
two:

(a) skipto-nat-allow pattern from many HOWOTOs

Lev, can you provide references for these HOWTOs you refer to?

I have a suspicion that some of them should be taken out and shot.

  google for FreeBSD ipfw nat stateful :) There are lot of them. Not
real HOWTOs, but blog posts  alike.

  BTW, without new mechanism it is really hard to do such firewall, as
we need action (nat) after allow keep-state. It could be done with
this ugly skip-to or with allow keep-state in INCOMING section of
firewall, what is not much better, as I prefer to decide let packet
out or not in OUTCOMING part of firewall and with allow keep-state
in incoming path it flood state table with unused states.

  Another problem, that keep-state acts as check-state too, so you
could not have ANOTHER keep-state before NAT in outgoing part or you
miss nat completely (sate is created in outgoing path, and then
checked before nat in outgoing path with keep-state, gr, ugly!).


yes I think keep-state should be deprecated and replaced or 
supplemented by 'save_state'  that does NOT do an implicit 
'check-state'.. I don't know whose idea that was but it's just wrong. 
(if the state exists, maybe just replace it..)






- -- 
// Lev Serebryakov AKA Black Lion

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0KGqXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePYvYQALeGCF9EuZKP3jLDaRwad+TO
IhYq5I3xPPqU3eNEdQ6OqdFonVQ4mDB+UipZzspC/U5drf1qo2LkOF8oBNDlVDW4
2I+bgYStptIkpSoBOe5AGRYwO3jfec77GvXhR8cMeQZK2Z9NIazn5ZtFkdQyiiDU
+b7pxBQ0SbbMUT3hubl4H+v93dMGfjnzrFg1aSY4/uYnmilb8plWN1o4BshZVMSz
z1lrFSaorj4RNYxnpM6f6YtDDYx4TahA7+OILl/BvzmNoztWb5hKNX+1TGLZPcch
QE19iix+8O75yuVEMim6FxZ7u6sRk+4PpL/WzCLC2PpPxP/AyiFRh4zw7Q34HDNm
xPe4Nfzt5vDj0/2HYMY0q0UeSfVY/U0iB3TWmV/3HFObaLeibCgHqOFGmtCpHw5/
EXJX36mpffO1wI6ImPAvQ9C/wE6/JdoL8R3EPrsN3hdNmoVNIrnDuaeAwiQM6Ljm
4CHzsqlYYzyjzgyMmmJahaZ3Lrr0IjnVixC3/z46SfpPipaua8Pr+oZozC4WFmnn
4IhsXH+XK7fTbKQaZML6o9j6Bm0hs9g6mt+VSWCYWGCHh/V3DzTuH2BECUeC8lsD
9pwHv4x4vPbh7d/kBwAl75mOe3etb8nD/+i+x0oqbPn0T73DgdGgYPnIKqElOi4Y
Ws6uw/Euno3YnSSds5Eb
=FJZe
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org



___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Julian Elischer]

On 2/3/15 5:30 PM, Lev Serebryakov wrote:



looking at my own rules I don't seem to have a problem..

   You have check-state only once, on entrance, before all NATs, so
it could work only for packets which don't need NAT. And looks like
(correct me if I'm wrong) you don't try to track states of connections
passed through NAT.


yes, because NAT is a stateful filter so it's a duplication
- -- 
// Lev Serebryakov AKA Black Lion

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)



___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Ian Smith]

On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
  On 03.02.2015 13:04, Ian Smith wrote:
  
   Now to make stateful firewall with NAT you need to make some not
   very readable tricks to record state (allow) of outbound
   connection before NAT, but pass packet to NAT after that. I know
   two:
   
   (a) skipto-nat-allow pattern from many HOWOTOs
   
   Lev, can you provide references for these HOWTOs you refer to?
   
   I have a suspicion that some of them should be taken out and shot.
  
   google for FreeBSD ipfw nat stateful :) There are lot of them. Not
  real HOWTOs, but blog posts  alike.

As I suspected, most of them either are or refer to or are based on the 
handbook IPFW page, which I believe has caused more damage to the cause 
of IPFW adoption and usage than anything else.  ipfw(8) is your friend, 
and pretty much your only friend in this regard.

Of those, https://nileshgr.com/2014/12/07/freebsd-ipfw-nat-jails isn't 
bad.  Many of the others are up to 10 years old and not much help.

http://www.pl.freebsd.org/doc/handbook/firewalls-ipfw.html is an earlier 
version of https://www.freebsd.org/doc/handbook/firewalls-ipfw.html 
which has undergone significant improvement lately (compare), but still 
contains factual errors in the rulesets and very muddle-headed ideas 
regarding syslog and other things, IMHO.

I'd best say no more on this topic; you can't discombobulate confusion.

Cheers, Ian out

   BTW, without new mechanism it is really hard to do such firewall, as
  we need action (nat) after allow keep-state. It could be done with
  this ugly skip-to or with allow keep-state in INCOMING section of
  firewall, what is not much better, as I prefer to decide let packet
  out or not in OUTCOMING part of firewall and with allow keep-state
  in incoming path it flood state table with unused states.
  
   Another problem, that keep-state acts as check-state too, so you
  could not have ANOTHER keep-state before NAT in outgoing part or you
  miss nat completely (sate is created in outgoing path, and then
  checked before nat in outgoing path with keep-state, gr, ugly!).
  
  
  - -- 
  // Lev Serebryakov AKA Black Lion
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03.02.2015 13:04, Ian Smith wrote:

 Now to make stateful firewall with NAT you need to make some not
 very readable tricks to record state (allow) of outbound
 connection before NAT, but pass packet to NAT after that. I know
 two:
 
 (a) skipto-nat-allow pattern from many HOWOTOs
 
 Lev, can you provide references for these HOWTOs you refer to?
 
 I have a suspicion that some of them should be taken out and shot.

 google for FreeBSD ipfw nat stateful :) There are lot of them. Not
real HOWTOs, but blog posts  alike.

 BTW, without new mechanism it is really hard to do such firewall, as
we need action (nat) after allow keep-state. It could be done with
this ugly skip-to or with allow keep-state in INCOMING section of
firewall, what is not much better, as I prefer to decide let packet
out or not in OUTCOMING part of firewall and with allow keep-state
in incoming path it flood state table with unused states.

 Another problem, that keep-state acts as check-state too, so you
could not have ANOTHER keep-state before NAT in outgoing part or you
miss nat completely (sate is created in outgoing path, and then
checked before nat in outgoing path with keep-state, gr, ugly!).


- -- 
// Lev Serebryakov AKA Black Lion
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0KGqXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePYvYQALeGCF9EuZKP3jLDaRwad+TO
IhYq5I3xPPqU3eNEdQ6OqdFonVQ4mDB+UipZzspC/U5drf1qo2LkOF8oBNDlVDW4
2I+bgYStptIkpSoBOe5AGRYwO3jfec77GvXhR8cMeQZK2Z9NIazn5ZtFkdQyiiDU
+b7pxBQ0SbbMUT3hubl4H+v93dMGfjnzrFg1aSY4/uYnmilb8plWN1o4BshZVMSz
z1lrFSaorj4RNYxnpM6f6YtDDYx4TahA7+OILl/BvzmNoztWb5hKNX+1TGLZPcch
QE19iix+8O75yuVEMim6FxZ7u6sRk+4PpL/WzCLC2PpPxP/AyiFRh4zw7Q34HDNm
xPe4Nfzt5vDj0/2HYMY0q0UeSfVY/U0iB3TWmV/3HFObaLeibCgHqOFGmtCpHw5/
EXJX36mpffO1wI6ImPAvQ9C/wE6/JdoL8R3EPrsN3hdNmoVNIrnDuaeAwiQM6Ljm
4CHzsqlYYzyjzgyMmmJahaZ3Lrr0IjnVixC3/z46SfpPipaua8Pr+oZozC4WFmnn
4IhsXH+XK7fTbKQaZML6o9j6Bm0hs9g6mt+VSWCYWGCHh/V3DzTuH2BECUeC8lsD
9pwHv4x4vPbh7d/kBwAl75mOe3etb8nD/+i+x0oqbPn0T73DgdGgYPnIKqElOi4Y
Ws6uw/Euno3YnSSds5Eb
=FJZe
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Lev Serebryakov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 03.02.2015 12:30, Lev Serebryakov wrote:

 keep-state. Problem is, it adds if branch for EACH action (in 
 kernel code). IMHO, it is very prohibitive. I've though about
 that, but decide it is too expensive to have if (!iHaveRecordOnly
 || fromDynamic) for EACH action, always. It could be done easily,
 of course.
 Oh, I'm stupid! I know how to do keep-state-only cheap for fast path!

 I'll prepare new patch today or tomorrow.

 Also, I BADLY want keep-state-but-dont-check one. Sometimes it adds
couple of skipto rules to avoid keep-state because it will trigger
check too, even if MATCH will fail.

- -- 
// Lev Serebryakov AKA Black Lion
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQJ8BAEBCgBmBQJU0KJTXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF
QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePTEMP/R3MZ8AmqKA0h7pFPy5SCwjT
/zhnjjRvk+sDpc5BJPA/xIXV8IBupCPBCDR8CvCcqbaxFBECTTbW+JHCaHB0idXf
F7lI2fTjiXcx5EK3E1RkjJ8dbRuHLAiYttMA4e1YIZBidsflgX/wLIEexseeia1K
Vqh0NLofJLgzZET+wDbDBNncgWSaUnyJyW05BtVDUi/kpHekpZg4zm71gfWAoLgl
tROv3i0y1YfkulwzZ84BcegsEAPMqD11AhSYZayeF1Ozl5jBGXTpC4rhaOQNYl7n
+Hcr828rOZFiP/b4p/QhHx0TAMdYm3oqxSXMtr8GzWK+q5cClk7vdBv2Nj2W5f43
jOaJhDHgy21HxKCmFKKvSg/ZMb43F21ZHh0hU4eVlAK+AH74cli8hISTzZo4KxwC
g74vUIPQkKs177UB+Hx1ADxwmur9fzbJpWWcK5zd/bLKQ8klUfiVrXp4awqLHma5
z6mKH89pxG9IC8rHFODetgfyvCJCiI0VY8bYuR8zJ6ciyk4NLGVhLk/VlzPyap8Y
IT8O+kYLCaOWPbJvR+Zqti+hnvsk+5JnGxa16tVUkxXiJfh7VfWt9dDQ12Z9At1t
srjr79R9yEJ0aPYKZRT4Z3q+CPhJZ+TpZyCxX3QT0vJuzewrj+R0CwSPP2xaWUZ3
x+Z6nsvc0bx37IgR7vsx
=DlMK
-END PGP SIGNATURE-
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Ian Smith]

On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote:

   Now to make stateful firewall with NAT you need to make some not very
  readable tricks to record state (allow) of outbound connection
  before NAT, but pass packet to NAT after that. I know two:
  
   (a) skipto-nat-allow pattern from many HOWOTOs

Lev, can you provide references for these HOWTOs you refer to?

I have a suspicion that some of them should be taken out and shot.

cheers, Ian
___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org

Re: [RFC][patch] Two new actions: state-allow and state-deny

[Julian Elischer]

On 2/3/15 3:17 AM, Lev Serebryakov wrote:


  I propose two new actions: state-allow and state-deny.

  They imply keep-state and create new dynamic rules, when called
directly, but pass packet to NEXT rule after that (don't stop search).

  When they are called as dynamic rule, they acts as allow and deny.

  So, stateful firewall with NAT could be rewritten like this:

add 1000 skipto 2000 all from any to any out xmit outIface
add 1010 skipto 3000 all from any to any in  recv outIface

add 2000 state-allow from any to any // keep-state is implied
add 2010 nat NR from any to any // No out here!
add 2020 allow all from any to any

add 3000 nat NR from any to any
add 3010 check-state // Use dynamic rule based on 2000 as allow here

  What do you think?


I understand what you are trying to do..
but part of the usefulness of the state runes is that they
can be any action, not just allow and deny.
I might try the following action:

record:  (or record-only)
it allows the rule to be stored, but the action is not performed.
on check-state, the rule is performed..

so skipto 2000 ip from me to fred 80 record-only out xmit bge0
would do nothing but record the session
and on input the session packet would skipto 2000

you could do deny or accept  as well so it's a superset of what you 
suggest.

I'm not sure where in the rule record-only shoudl be put..
maybe

ipfw add 1000 log record-only skipto 2000 tcp from me to fred 80,443 
out xmit bge0


might be more syntactically correct?

What I would find more useful, is separate state rules for each interface.
so you could not have the danger of a packet on interface A adding a 
rule that eventually does something unexpected on a packet on interface B.



looking at my own rules I don't seem to have a problem..

Just for kicks,
here is the base ipfw script.. just sets up the framework

---
#!/bin/sh

fwcmd=/sbin/ipfw

# Suck in the configuration variables.
if [ -z ${source_rc_confs_defined} ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi


# set these to your outside interface network and netmask and ip
oif=tun0
onet=192.168.36.0
omask=24
oip=x.x.x.x


# set these to your inside interface network and netmask and ip
iif=vr0
inet=192.168.2.0
imask=255.255.255.0
iip=192.168.2.21

# for not the natd target is us but change this if you
# change that in natd.conf
natd_target=${oip}
work_vpnserver=y.y.y.y

INCOMING=4000
OUTGOING=8000
LOCAL=1000
SET=1

sysctl net.inet.ip.fw.enable=0
${fwcmd} -q flush
${fwcmd} -q table 1 flush
${fwcmd} -q table 2 flush
${fwcmd} -q table 3 flush
${fwcmd} -q table 4 flush

${fwcmd} table 1 add 10.0.0.0/8
${fwcmd} table 1 add 172.16.0.0/12
#${fwcmd} table 1 add 192.168.0.0/16
 # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
 # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST 
(class D),

 # and class E) on the outside interface
${fwcmd} table 1 add 0.0.0.0/8
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 192.0.2.0/24
${fwcmd} table 1 add 224.0.0.0/4
${fwcmd} table 1 add 240.0.0.0/4

# add legit sources of ssh.. DNS is not up yet so use IPs
# could add to /etc/hosts I guess.
#  myotherhouse.org
${fwcmd} table 2 add a.b.c.d
#  work
${fwcmd} table 2 add c.d.e.f/24
#  my vps
${fwcmd} table 2 add f.g.h.i/24

# add legit DNS tcp (zone) sources
#  my.dns.friends
${fwcmd} table 3 add m.n.o.p
#  my.dns.friend
${fwcmd} table 3 add q.r.s.t
#  my.vps
${fwcmd} table 3 add f.g.h.i

# Add our local networks here
${fwcmd} table 4 add 192.168.2.0/24
${fwcmd} table 4 add 172.16.15.0/24

# common spoofing code
# --- ALL PACKETS START HERE. 

${fwcmd} set disable ${SET}

# Stop localhost spoofing
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny log all from any to 127.0.0.0/8
${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any

# If we've already decided on it. keep our word.
${fwcmd} add check-state

# Interception rules for external interfaces go here ---

# Internal traffic. generally don't care
# except to stop spoofing.
# make extra sure we don't block DHCP to our server (me)
# as initial request will be from 0.0.0.0/0

${fwcmd} add ${LOCAL} set ${SET} allow udp from any to any 67 
in recv ${iif}

${fwcmd} add allow udp from any 67 to any out xmit ${iif}

# other wise it has to be to 

Re: [RFC][patch] Two new actions: state-allow and state-deny

[bycn82]

*cool, I like this, it got some points.*
*though the email is too long to be read.*

On 3 February 2015 at 14:44, Julian Elischer jul...@freebsd.org wrote:

 On 2/3/15 3:17 AM, Lev Serebryakov wrote:


   I propose two new actions: state-allow and state-deny.

   They imply keep-state and create new dynamic rules, when called
 directly, but pass packet to NEXT rule after that (don't stop search).

   When they are called as dynamic rule, they acts as allow and deny.

   So, stateful firewall with NAT could be rewritten like this:

 add 1000 skipto 2000 all from any to any out xmit outIface
 add 1010 skipto 3000 all from any to any in  recv outIface

 add 2000 state-allow from any to any // keep-state is implied
 add 2010 nat NR from any to any // No out here!
 add 2020 allow all from any to any

 add 3000 nat NR from any to any
 add 3010 check-state // Use dynamic rule based on 2000 as allow here

   What do you think?


 I understand what you are trying to do..
 but part of the usefulness of the state runes is that they
 can be any action, not just allow and deny.
 I might try the following action:

 record:  (or record-only)
 it allows the rule to be stored, but the action is not performed.
 on check-state, the rule is performed..

 so skipto 2000 ip from me to fred 80 record-only out xmit bge0
 would do nothing but record the session
 and on input the session packet would skipto 2000

 you could do deny or accept  as well so it's a superset of what you
 suggest.
 I'm not sure where in the rule record-only shoudl be put..
 maybe

 ipfw add 1000 log record-only skipto 2000 tcp from me to fred 80,443 out
 xmit bge0

 might be more syntactically correct?

 What I would find more useful, is separate state rules for each interface.
 so you could not have the danger of a packet on interface A adding a rule
 that eventually does something unexpected on a packet on interface B.


 looking at my own rules I don't seem to have a problem..
 
 Just for kicks,
 here is the base ipfw script.. just sets up the framework

 ---
 #!/bin/sh

 fwcmd=/sbin/ipfw

 # Suck in the configuration variables.
 if [ -z ${source_rc_confs_defined} ]; then
 if [ -r /etc/defaults/rc.conf ]; then
 . /etc/defaults/rc.conf
 source_rc_confs
 elif [ -r /etc/rc.conf ]; then
 . /etc/rc.conf
 fi
 fi


 # set these to your outside interface network and netmask and ip
 oif=tun0
 onet=192.168.36.0
 omask=24
 oip=x.x.x.x


 # set these to your inside interface network and netmask and ip
 iif=vr0
 inet=192.168.2.0
 imask=255.255.255.0
 iip=192.168.2.21

 # for not the natd target is us but change this if you
 # change that in natd.conf
 natd_target=${oip}
 work_vpnserver=y.y.y.y

 INCOMING=4000
 OUTGOING=8000
 LOCAL=1000
 SET=1

 sysctl net.inet.ip.fw.enable=0
 ${fwcmd} -q flush
 ${fwcmd} -q table 1 flush
 ${fwcmd} -q table 2 flush
 ${fwcmd} -q table 3 flush
 ${fwcmd} -q table 4 flush

 ${fwcmd} table 1 add 10.0.0.0/8
 ${fwcmd} table 1 add 172.16.0.0/12
 #${fwcmd} table 1 add 192.168.0.0/16
  # Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
  # RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class
 D),
  # and class E) on the outside interface
 ${fwcmd} table 1 add 0.0.0.0/8
 ${fwcmd} table 1 add 169.254.0.0/16
 ${fwcmd} table 1 add 192.0.2.0/24
 ${fwcmd} table 1 add 224.0.0.0/4
 ${fwcmd} table 1 add 240.0.0.0/4

 # add legit sources of ssh.. DNS is not up yet so use IPs
 # could add to /etc/hosts I guess.
 #  myotherhouse.org
 ${fwcmd} table 2 add a.b.c.d
 #  work
 ${fwcmd} table 2 add c.d.e.f/24
 #  my vps
 ${fwcmd} table 2 add f.g.h.i/24

 # add legit DNS tcp (zone) sources
 #  my.dns.friends
 ${fwcmd} table 3 add m.n.o.p
 #  my.dns.friend
 ${fwcmd} table 3 add q.r.s.t
 #  my.vps
 ${fwcmd} table 3 add f.g.h.i

 # Add our local networks here
 ${fwcmd} table 4 add 192.168.2.0/24
 ${fwcmd} table 4 add 172.16.15.0/24

 # common spoofing code
 # --- ALL PACKETS START HERE. 

 ${fwcmd} set disable ${SET}

 # Stop localhost spoofing
 ${fwcmd} add 100 pass all from any to any via lo0
 ${fwcmd} add 200 deny log all from any to 127.0.0.0/8
 ${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any

 # If we've already decided on it. keep our word.
 ${fwcmd} add check-state

 # Interception rules for external interfaces go here ---

 # Internal traffic. generally don't care
 # except to stop spoofing.
 # make extra sure we don't block