Date: Tue, 20 Jan 2004 12:21:18 -0500 From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Alex Zbyslaw" <xfb52@dial.pipex.com>, <freebsd-questions@freebsd.org> Subject: RE: ipfw/nated stateful rules example Message-ID: <MIEPLLIBMLEEABPDBIEGOEEOFFAA.fbsd_user@a1poweruser.com>
next in thread | raw e-mail | index | archive | help
Alex Yep I missed you previous post, this lists mail has increased
since 5.2 showed up on the FTP sites and I just missed your post in
all volume.
First of all the method of doing keep-state on both the internal Lan
interface and the external is an violation of security protocol
because the packets are being allowed to pass based on stateful info
posted by the wrong interface. This method is an example of making
the firewall function incorrectly which is not the goal of an secure
firewall. The method is discard as not viable.
Now on to your second method of coding the rules file with
gymnasiast goto statements. From an user view point, this kind of
coding should not be necessary just to get keep-state rules to
function. And if it is necessary then it should be so documented in
man ipfw that way and a working example should be included in /etc
along the other example. That being said, lets look at what you
posted.
******** this first part has already been address and
discarded****************
The basic thrust of the problematic section is:
ipfw add divert natd all from any to any via external_interface
ipfw add pass udp from any to any ntp out xmit external_interface
ipfw add pass udp from any ntp to any ntp in recv external_interface
Try this:
# local rules for this gateway's traffic
ipfw add allow udp from me to any out xmit $ext_if keep-state
# divert
ipfw add divert natd ip from any to any via $ext_if
# this rule looks a bit strange here, but it's to allow the
# nat-ed packets outbound to leave. If you're concerned about
# egress filtering from the gateway itself, add appropriate
# non-stateful allow rules
ipfw add allow ip from me to any out xmit $ext_if
ipfw add check-state
ipfw add allow udp from any to any in recv $int_if keep_state
Putting the keep-state on the internal ethernet is a neat solution,
thanks. (It conflicts somewhat with some of the way my firewall is
set up prior to the ntp/natd stuff, but I'm looking at rewriting
that).
**************** start of second method *****************
I did think of one more solution which works on the external
interface only, but it's not as elegant.
# Check all inbound ntp calls
ipfw add skipto 20500 udp from any ntp to any in recv $ext_if
# Checks all outbound ntp calls and (by dynamic rule) all inbound
ntp calls
ipfw add skipto 20000 udp from any to any out xmit $ext_if
keep-state
[ rest of firewall including natd go here ]
# Make sure we do not fall through into special rulesets
add deny log all from any to any
# Only get to these rules in two circumstances:
# 1) Any outbound ntp packet which has been keep-state'ed
# 2) Any inbound ntp packet which matched a dynamic rule
ipfw add 20000 divert natd all from any to any out xmit
$ext_if
ipfw add allow udp from any ntp to any in recv $ext_if
ipfw add allow udp from any to any ntp out xmit $ext_if
ipfw add deny log all from any to any
# Only get here on an incoming ntp packet. Need to see
# if we want to accept it or not. Check-state will
# trigger dynamic rule and skipto 20000 on match
ipfw add 20500 divert natd all from any to any in recv
${ext_if}
ipfw add check-state
ipfw add deny log all from any to any
**************** end of second method *****************
First of all the first skipto rule
ipfw add skipto 20500 udp from any ntp to any in recv $ext_if
ipfw add skipto 20000 all from any to any out xmit $ext_if
keep-state
uses ntp as an port name on the from object. Ntp is the name given
in /etc/services for port number 123 which is the tcp time network
protocol. This has to be an typo as there is no way this can have
any meaning about what we are talking about. So I will take ntp to
mean an symbolic as in $ntp which holds the private ip address of
Lan network.
Looking closer at your skipto rules they only executes on udp
packets and the second statement has keep state on it. Plus your
skipto locations are using stateless rules
There is no use going any further, this is non-logical all ready.
When and if you can get your shipto method to only use stateful
rules and the check-state rule to process the divert rule correctly
then you will have something to talk about.
Until them, my statement still stands.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGOEEOFFAA.fbsd_user>