-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 09:44, Julian Elischer wrote:
>> So, stateful firewall with NAT could be rewritten like this:
>>
>> add 1000 skipto 2000 all from any to any out xmit outIface add
>> 1010 skipto 3000 all from any to any in recv outIface
>>
>> add 20
On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote:
> Now to make stateful firewall with NAT you need to make some not very
> "readable" tricks to record state ("allow") of outbound connection
> before NAT, but pass packet to NAT after that. I know two:
>
> (a) skipto-nat-allow patte
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 13:04, Ian Smith wrote:
>> Now to make stateful firewall with NAT you need to make some not
>> very "readable" tricks to record state ("allow") of outbound
>> connection before NAT, but pass packet to NAT after that. I know
>> two:
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 12:30, Lev Serebryakov wrote:
> "keep-state". Problem is, it adds "if" branch for EACH action (in
> kernel code). IMHO, it is very prohibitive. I've though about
> that, but decide it is too expensive to have "if (!iHaveRecordOnly
> |
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Recommended "reass all from any to any in" kills all incoming IPv6
packets (at least, packets from 6in4 tunnel). "reass ip4 from any to
any in" works as expected.
Is it documentation bug or implementation bug?
- --
// Lev Serebryakov AKA Black
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
> On 03.02.2015 13:04, Ian Smith wrote:
>
> >> Now to make stateful firewall with NAT you need to make some not
> >> very "readable" tricks to record state ("allow") of outbound
> >> connection before NAT, but pass packet to NAT after
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok, "allow-state"/"deny-state" was very limited idea.
Here is more universal mechanism: new "keep-state-only" (aliased as
"record-only") option, which works exactly as "keep-state" BUT cancel
match of rule after state creation. It allows to write
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 19:13, Lev Serebryakov wrote:
> Ok, "allow-state"/"deny-state" was very limited idea. Here is more
> universal mechanism: new "keep-state-only" (aliased as
> "record-only") option, which works exactly as "keep-state" BUT
> cancel matc
On 2/3/15 5:30 PM, Lev Serebryakov wrote:
looking at my own rules I don't seem to have a problem..
You have "check-state" only once, on entrance, before all NATs, so
it could work only for packets which don't need NAT. And looks like
(correct me if I'm wrong) you don't try to track states o
On 2/3/15 6:23 PM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 13:04, Ian Smith wrote:
Now to make stateful firewall with NAT you need to make some not
very "readable" tricks to record state ("allow") of outbound
connection before NAT, but pass packet t
On 2/4/15 12:55 AM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 19:13, Lev Serebryakov wrote:
Ok, "allow-state"/"deny-state" was very limited idea. Here is more
universal mechanism: new "keep-state-only" (aliased as
"record-only") option, which works ex
On 2/4/15 12:13 AM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok, "allow-state"/"deny-state" was very limited idea.
Here is more universal mechanism: new "keep-state-only" (aliased as
"record-only") option, which works exactly as "keep-state" BUT cancel
match of
On 2/4/15 1:32 PM, Julian Elischer wrote:
On 2/4/15 12:13 AM, Lev Serebryakov wrote:
And variants with multiple NATs and "nat global" becomes as easy as
this, too! No stupid "skipto", no "keep-state" at "incoming from local
network" parts of firewall, nothing!
P.S. I HATE this "all any to an
13 matches
Mail list logo
