Re: keep-state and divert

2009-04-02 Thread Victor Sudakov
Victor Sudakov wrote: > If we consider a simple example below, how would you replace the 600th > rule for a stateful one? > > 00100 divert 8668 ip from any to table(1) out via rl0 > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 > 00300 deny log logamount 100 ip from 172.16.0.0

Re: keep-state and divert

2009-04-02 Thread Victor Sudakov
Michael Powell wrote: > > > > With my example ruleset below, where would you put the keep-state > > option? > > > > > > 00100 divert 8668 ip from any to table(1) out via rl0 > > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0 > > 00300 deny log logamount 100 ip from 172.16.0.0

Re: keep-state and divert

2009-04-02 Thread Michael Powell
Victor Sudakov wrote: [snip] > > I have looked at your ruleset. First you have: > > [dd] >> $fwcmd add divert natd ip from any to me in via ppp0 >> $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0 >> $fwcmd add check-state >> > > [dd] > > and only later you have your keep-state

Re: keep-state and divert

2009-04-02 Thread Victor Sudakov
Michael Powell wrote: > > > > I have read some recommendations on combining a stateful firewall with > > divert, e.g. > > http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html > > and http://nuclight.livejournal.com/124348.html (the latter is in > > Russian). > > > > Do I unde

Re: keep-state and divert

2009-04-02 Thread Victor Sudakov
Paul A Procacci wrote: > > > >I have read some recommendations on combining a stateful firewall with > >divert, > >e.g. > >http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html > >and http://nuclight.livejournal.com/124348.html (the latter is in Russian). > > > >Do I understan

Re: keep-state and divert

2009-04-02 Thread Michael Powell
Victor Sudakov wrote: > Colleagues, > > I have read some recommendations on combining a stateful firewall with > divert, e.g. > http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html > and http://nuclight.livejournal.com/124348.html (the latter is in > Russian). > > Do I under

Re: keep-state and divert

2009-04-02 Thread Paul A Procacci
Victor Sudakov wrote: Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly t

keep-state and divert

2009-04-01 Thread Victor Sudakov
Colleagues, I have read some recommendations on combining a stateful firewall with divert, e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html and http://nuclight.livejournal.com/124348.html (the latter is in Russian). Do I understand correctly that it is (mathematical