Manuel Kasper wrote:
> OK, but I meant to say that you now always have to pass all outgoing
> packets because the check-state fails on them since it doesn't see the
> same local<->remote IP combination as with the incoming packet that
> created the state table entry. Kinda one-way stateful filtering. ;)
Not at all. I just didn't show my stateful rules for inbound
traffic. When a packet reaches that place in the ruleset, it's
already allowed by another rule, so it's safe.
I have true stateful packet filtering inbound and outbound, that
rule is there to let the stateful outbound rules work. Much
was not included in that snippet.
Inbound stateful rules are easy:
<nat rule goes here>
$fw add 02900 set 0 allow tcp from any to $http_svc http keep-state setup
> On a side note - I couldn't resist re-benchmarking natd and ipnat; I was
> starting to worry about my memory (lame excuse, I know). Here goes, all on
> a Soekris net4501, FreeBSD 4.8 (actually m0n0BSD), nothing else running
> except for the minimum (syslogd, cron, sshd); FAST_IPSEC compiled into the
> kernel (empty SAD/SPD, but still eats a megabit or two - doesn't matter
> here, though), both filters compiled with default to accept, only one
> loaded at a time of course, no rules installed except for the divert rule
> in ipfw, only 1 redirection (to test the other direction - turned out the
> same, though), absolutely nothing in the environment changing except for
> which filter/NAT was loaded, all measurements made with iperf:
> throughput without any filters/NAT loaded (routing only): 39.4 Mbps
> ipf + ipnat: 23.3 Mbps
> ipfw + natd: 10.1 Mbps
You might notice that on a DS3, but not an E1 ;-) Static NAT w/natd
seems considerably faster than that.
"Well," Brahma said, "even after ten thousand explanations, a fool is no
wiser, but an intelligent man requires only two thousand five hundred."
- The Mahabharata