From owner-freebsd-questions  Sun Feb 17 10:32:10 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38])
	by hub.freebsd.org (Postfix) with ESMTP id 7F21437B47D
	for <freebsd-questions@FreeBSD.ORG>; Sun, 17 Feb 2002 10:31:48 -0800 (PST)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020217183147.XROO2626.rwcrmhc51.attbi.com@blossom.cjclark.org>;
          Sun, 17 Feb 2002 18:31:47 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g1HIVjq31867;
	Sun, 17 Feb 2002 10:31:45 -0800 (PST)
	(envelope-from cjc)
Date: Sun, 17 Feb 2002 10:31:45 -0800
From: "Crist J. Clark" <crist.clark@attbi.com>
To: Joe & Fhe Barbish <barbish@a1poweruser.com>
Cc: FBSD <freebsd-questions@FreeBSD.ORG>, cvarda@flopnet.com.br,
	Patrick Soltani <psoltani@ultradns.com>
Subject: Re: IPFW check-state rules
Message-ID: <20020217103145.Q48401@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20020217080858.P48401@blossom.cjclark.org> <LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish@a1poweruser.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Sun, Feb 17, 2002 at 12:23:59PM -0500
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sun, Feb 17, 2002 at 12:23:59PM -0500, Joe & Fhe Barbish wrote:
> Crist you wrote this.
> I am saying it is difficult to get ipfw(8) 'keep-state' to work well
> with natd(8). It may not be worth it for many users. It does not
> provide additional protection.
> 
> 
> You are way out in no where land with that statement. 
> I have read you stating in other posts that keep-stated provides 
> much better security. And if keep-state did not provide better firewall 
> security then why would somebody take the time to write it? 

'keep-state' provides much better protection than a stateless packet
filter, no doubt about it. But combining NAT and a stateless firewall
makes a stateful packet filter. However, I feel that that is abusing
NAT. NAT is not a security feature. NAT is something you do to
increase your IP address space. I don't like the fact that
'keep-state' and natd(8) do not work well together. There are quite a
few things that I don't like about 'keep-state.' That's one of the
main reasons I don't use it much anymore. I use IPFilter (but it has
its limits too).

> Well I killed natd and user ppp and restarted user ppp with -nat flag 
> and now the rules in the outbound section of my rules set as posted 
> here early, minis the divert rule are functioning.  The correct answer to 
> my original question was to get rid of natd from the ipfw rules set and 
> use the user ppp nat function.

I didn't know you were using ppp(8).
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message