From owner-freebsd-questions@FreeBSD.ORG  Tue Jan 20 22:25:35 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 49D0C16A4CE
	for <freebsd-questions@freebsd.org>;
	Tue, 20 Jan 2004 22:25:35 -0800 (PST)
Received: from lakemtao05.cox.net (lakemtao05.cox.net [68.1.17.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CC26343D48
	for <freebsd-questions@freebsd.org>;
	Tue, 20 Jan 2004 22:25:30 -0800 (PST)
	(envelope-from micheal@tsgincorporated.com)
Received: from dredster ([68.12.79.37]) by lakemtao05.cox.net
          (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP
          id <20040121062530.HZDF29834.lakemtao05.cox.net@dredster>;
          Wed, 21 Jan 2004 01:25:30 -0500
Message-ID: <037901c3dfe7$6fcf6c90$0201a8c0@dredster>
From: "Micheal Patterson" <micheal@tsgincorporated.com>
To: "Jonathan Chen" <jonc@chen.org.nz>
References:
	<02d501c3dfc1$796e4da0$0201a8c0@dredster><MIEPLLIBMLEEABPDBIEGIEGCFFAA.fbsd_user@a1poweruser.com>
	<20040121052001.GA33062@grimoire.chen.org.nz>
Date: Wed, 21 Jan 2004 00:25:56 -0600
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
cc: freebsd-questions@freebsd.org
Subject: Re: ipfw/nated stateful rules example
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 06:25:35 -0000





----- Original Message ----- 
From: "Jonathan Chen" <jonc@chen.org.nz>
To: "fbsd_user" <fbsd_user@a1poweruser.com>
Cc: "Micheal Patterson" <micheal@tsgincorporated.com>;
<freebsd-questions@freebsd.org>
Sent: Tuesday, January 20, 2004 11:20 PM
Subject: Re: ipfw/nated stateful rules example


> On Tue, Jan 20, 2004 at 09:18:27PM -0500, fbsd_user wrote:
> > Yes you are making it work, but not work
> > correctly. In the true security sense, this is un-secure and
> > invalidates the whole purpose of using keep-state rules at all. This
> > would never be allowed by an real firewall security professional.
>
> I'm curious as to why you'd consider it insecure. How would applying
> the keep-state rules on the public IP be anymore secure that using it
> on the internal IP? The mechanism works the same regardless. You
> haven't provided an case as to why you think it is unsecure.
> -- 
> Jonathan Chen <jonc@chen.org.nz>

That's what I'm trying to figure out.  As far as I can tell, it's working
exactly how I want it to work. My public IP traffic is stateful from the
firewall to the world and the LAN traffic is stateful to the world. I'd just
like to hear what the firewall security professional would have to say about
it.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600