|

»

Transparent firewall & Dynamic rules

View: New views

5 Messages — Rating Filter: Alert me

	Transparent firewall & Dynamic rules by Cypher Wu :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I want to build a transparent firewall based on IPFW. For static rules this is fine, but for dynamic rules, ipfw uses keepalive packet to avoid deleting a dynamic rule that both ends are still alive but don't issue any traffic for a long time. But this means the firewall should have it's own IPs and is not transparent anymore. _______________________________________________ freebsd-ipfw@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."
	Re: Transparent firewall & Dynamic rules by Luigi Rizzo-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: > I want to build a transparent firewall based on IPFW. For static rules > this is fine, but for dynamic rules, ipfw uses keepalive packet to > avoid deleting a dynamic rule that both ends are still alive but don't > issue any traffic for a long time. But this means the firewall should > have it's own IPs and is not transparent anymore. keepalives carry the addresses of the two endpoints, the firewall is not visible. _______________________________________________ freebsd-ipfw@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."
	Re: Transparent firewall & Dynamic rules by Cypher Wu :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message It's seems fine, but I still have some questions: 1. The endpoint will response to the keepalive TCP segment and the destination will be the other endpoint, will IPFW just let it though like the usual IP packet, or try to figure it out and drop it? 2. If I have two computer I can make sure both end are not using keepalive, then I can still figure out there is a firewall between these two computers? On Sat, Sep 12, 2009 at 9:09 PM, Luigi Rizzo <rizzo@...> wrote: > On Sat, Sep 12, 2009 at 03:32:54PM +0800, Cypher Wu wrote: >> I want to build a transparent firewall based on IPFW. For static rules >> this is fine, but for dynamic rules, ipfw uses keepalive packet to >> avoid deleting a dynamic rule that both ends are still alive but don't >> issue any traffic for a long time. But this means the firewall should >> have it's own IPs and is not transparent anymore. > > keepalives carry the addresses of the two endpoints, > the firewall is not visible. > > _______________________________________________ freebsd-ipfw@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."
	Re: Transparent firewall & Dynamic rules by Luigi Rizzo-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: > It's seems fine, but I still have some questions: > 1. The endpoint will response to the keepalive TCP segment and the > destination will be the other endpoint, will IPFW just let it though > like the usual IP packet, or try to figure it out and drop it? it will let the packet through. > 2. If I have two computer I can make sure both end are not using > keepalive, then I can still figure out there is a firewall between > these two computers? you can disable the keepalives on the firewall (if there is no sysctl for it, it's a trivial code change anyways), and you can set a large timeout. but by definition the presence of a firewall _is_ detectable, unless it blocks nothing so it is just a logger and not a firewall. 'transparent' referred to a middlebox means "it does not require endpoint reconfiguration", not that it is undetectable. _______________________________________________ freebsd-ipfw@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."
	Re: Transparent firewall & Dynamic rules by Cypher Wu :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks a lot. It seems that I've misunderstood 'transparent firewall'. On Sat, Sep 12, 2009 at 10:10 PM, Luigi Rizzo <rizzo@...> wrote: > On Sat, Sep 12, 2009 at 09:51:04PM +0800, Cypher Wu wrote: >> It's seems fine, but I still have some questions: >> 1. The endpoint will response to the keepalive TCP segment and the >> destination will be the other endpoint, will IPFW just let it though >> like the usual IP packet, or try to figure it out and drop it? > > it will let the packet through. > >> 2. If I have two computer I can make sure both end are not using >> keepalive, then I can still figure out there is a firewall between >> these two computers? > > you can disable the keepalives on the firewall (if there is no > sysctl for it, it's a trivial code change anyways), and you > can set a large timeout. > > but by definition the presence of a firewall _is_ detectable, > unless it blocks nothing so it is just a logger and not a firewall. > > 'transparent' referred to a middlebox means > "it does not require endpoint reconfiguration", not that > it is undetectable. > _______________________________________________ freebsd-ipfw@... mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@..."