Victor Sudakov wrote:
> If we consider a simple example below, how would you replace the 600th
> rule for a stateful one?
>
> 00100 divert 8668 ip from any to table(1) out via rl0
> 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> 00300 deny log logamount 100 ip from 172.16.0.0
Michael Powell wrote:
> >
> > With my example ruleset below, where would you put the keep-state
> > option?
> >
> >
> > 00100 divert 8668 ip from any to table(1) out via rl0
> > 00200 deny log logamount 100 ip from 10.0.0.0/8 to any out via rl0
> > 00300 deny log logamount 100 ip from 172.16.0.0
Victor Sudakov wrote:
[snip]
>
> I have looked at your ruleset. First you have:
>
> [dd]
>> $fwcmd add divert natd ip from any to me in via ppp0
>> $fwcmd add divert natd ip from 10.10.0.0/8 to any out via ppp0
>> $fwcmd add check-state
>>
>
> [dd]
>
> and only later you have your keep-state
Michael Powell wrote:
> >
> > I have read some recommendations on combining a stateful firewall with
> > divert, e.g.
> > http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> > and http://nuclight.livejournal.com/124348.html (the latter is in
> > Russian).
> >
> > Do I unde
Paul A Procacci wrote:
> >
> >I have read some recommendations on combining a stateful firewall with
> >divert,
> >e.g.
> >http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> >and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
> >
> >Do I understan
Victor Sudakov wrote:
> Colleagues,
>
> I have read some recommendations on combining a stateful firewall with
> divert, e.g.
> http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
> and http://nuclight.livejournal.com/124348.html (the latter is in
> Russian).
>
> Do I under
Victor Sudakov wrote:
Colleagues,
I have read some recommendations on combining a stateful firewall with divert,
e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
Do I understand correctly t
Colleagues,
I have read some recommendations on combining a stateful firewall with divert,
e.g. http://www.derkeiler.com/Mailing-Lists/FreeBSD-Security/2003-06/0078.html
and http://nuclight.livejournal.com/124348.html (the latter is in Russian).
Do I understand correctly that it is (mathematical