On 2/4/15 12:13 AM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok, allow-state/deny-state was very limited idea.
Here is more universal mechanism: new keep-state-only (aliased as
record-only) option, which works exactly as keep-state BUT cancel
match of rule
On 2/3/15 6:23 PM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 13:04, Ian Smith wrote:
Now to make stateful firewall with NAT you need to make some not
very readable tricks to record state (allow) of outbound
connection before NAT, but pass packet to
On 2/4/15 12:55 AM, Lev Serebryakov wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 19:13, Lev Serebryakov wrote:
Ok, allow-state/deny-state was very limited idea. Here is more
universal mechanism: new keep-state-only (aliased as
record-only) option, which works exactly
On 2/4/15 1:32 PM, Julian Elischer wrote:
On 2/4/15 12:13 AM, Lev Serebryakov wrote:
And variants with multiple NATs and nat global becomes as easy as
this, too! No stupid skipto, no keep-state at incoming from local
network parts of firewall, nothing!
P.S. I HATE this all any to any part!
On 2/3/15 5:30 PM, Lev Serebryakov wrote:
looking at my own rules I don't seem to have a problem..
You have check-state only once, on entrance, before all NATs, so
it could work only for packets which don't need NAT. And looks like
(correct me if I'm wrong) you don't try to track states of
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Ok, allow-state/deny-state was very limited idea.
Here is more universal mechanism: new keep-state-only (aliased as
record-only) option, which works exactly as keep-state BUT cancel
match of rule after state creation. It allows to write stateful
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 19:13, Lev Serebryakov wrote:
Ok, allow-state/deny-state was very limited idea. Here is more
universal mechanism: new keep-state-only (aliased as
record-only) option, which works exactly as keep-state BUT
cancel match of rule
On Tue, 3 Feb 2015 13:23:38 +0300, Lev Serebryakov wrote:
On 03.02.2015 13:04, Ian Smith wrote:
Now to make stateful firewall with NAT you need to make some not
very readable tricks to record state (allow) of outbound
connection before NAT, but pass packet to NAT after that. I know
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 13:04, Ian Smith wrote:
Now to make stateful firewall with NAT you need to make some not
very readable tricks to record state (allow) of outbound
connection before NAT, but pass packet to NAT after that. I know
two:
(a)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
On 03.02.2015 12:30, Lev Serebryakov wrote:
keep-state. Problem is, it adds if branch for EACH action (in
kernel code). IMHO, it is very prohibitive. I've though about
that, but decide it is too expensive to have if (!iHaveRecordOnly
||
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Recommended reass all from any to any in kills all incoming IPv6
packets (at least, packets from 6in4 tunnel). reass ip4 from any to
any in works as expected.
Is it documentation bug or implementation bug?
- --
// Lev Serebryakov AKA Black
On Mon, 2 Feb 2015 22:17:25 +0300, Lev Serebryakov wrote:
Now to make stateful firewall with NAT you need to make some not very
readable tricks to record state (allow) of outbound connection
before NAT, but pass packet to NAT after that. I know two:
(a) skipto-nat-allow pattern from
12 matches
Mail list logo
