From owner-freebsd-bugs Sun Jul 29 1:40: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3ADA537B405 for ; Sun, 29 Jul 2001 01:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f6T8e2I03572; Sun, 29 Jul 2001 01:40:02 -0700 (PDT) (envelope-from gnats) Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by hub.freebsd.org (Postfix) with ESMTP id 2BCFC37B403 for ; Sun, 29 Jul 2001 01:38:08 -0700 (PDT) (envelope-from mikescott@clara.net) Received: from data.scotts ([213.104.75.148]) by mta01-svc.ntlworld.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20010729083806.MSER15984.mta01-svc.ntlworld.com@data.scotts> for ; Sun, 29 Jul 2001 09:38:06 +0100 Received: (from root@localhost) by data.scotts (8.11.3/8.11.3) id f6T8IaU01684; Sun, 29 Jul 2001 09:18:36 +0100 (BST) Message-Id: <200107290818.f6T8IaU01684@data.scotts> Date: Sun, 29 Jul 2001 09:18:36 +0100 (BST) From: mikescott@clara.net Reply-To: mikescott@clara.net To: FreeBSD-gnats-submit@freebsd.org Cc: mikescott@clara.net X-Send-Pr-Version: 3.113 Subject: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 29294 >Category: kern >Synopsis: IPFW dynamic rules and NATD interaction has logical design flaw >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 29 01:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Mike Scott >Release: FreeBSD 4.3-RELEASE i386 >Organization: (self) >Environment: System: FreeBSD data.scotts 4.3-RELEASE FreeBSD 4.3-RELEASE #1: Thu Jul 19 15:20:22 BST 2001 mike@data.scotts:/usr/src/sys/compile/DATA i386 486dx2/66 (!), os as above, with standard ipfw, natd, libraries. >Description: There seems to be a logical error in the way natd is handled in conjunction with the ipfw firewall rules. I've asked on the questions and hackers lists about this, but there's been little response - one person said my config file was wrong, another vaguely remembered a problem of this sort. (1) ipfw rules are handled top down, stop on first match. (2) therefore the NAT diversion must be the first item in the list, or it may never be reached. (3) keep-state and check-state must therefore both follow the NAT diversion. (So no trickery allowed having before-nat and after-nat state checks) (4) keep-state and check-state must work on the same set of addresses, either both internal, or both external. (5) the list of firewall rules is traversed in the same order for incoming and outgoing packets (6) therefore all rules for incoming packets are applied to *local* addresses, all rules for outgoing are applied to *external* addresses. (7) keep-state and check-state are normally applied to packets flowing in opposite directions. (8) Therefore, they are applied inconsistently to incoming and outgoing addresses (keep-state may save an internal address, but check-state will be applied to an external address, and vice versa) >How-To-Repeat: I assume that any ipfw config of the form $fwcmd add divert natd all from any to any via tun0 ... $fwcmd add check-state $fwcmd add deny log tcp from any to any established $fwcmd add allow log tcp from any to any out via tun0 keep-state will exhibit the wrong behaviour. 'ipfw show' will show the dynamic rule(s) with the wrong addresses in >Fix: Assuming I'm right, the "call" to natd doesn't belong in the fw rules. It should always occur just after packets are read in, just before they're written out to the network. Workaround is not to use dynamic rules. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message