Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 11 Jun 2003 07:21:07 -0500
From:      Greg Panula <greg.panula@dolaninformation.com>
To:        Subscriber <subscriber@insignia.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: IPFW: combining "divert natd" with "keep-state"
Message-ID:  <3EE71EB3.5D675541@dolaninformation.com>
References:  <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com>
index | next in thread | previous in thread | raw e-mail 

Subscriber wrote:
> 
> I've been using ipfw for a while to create a router with NAT
> and packet filtering, but have never combined it with
> stateful filtering, instead using things like "established" to
> accept incoming TCP packets which are part of a conversation
> initiated from the "inside".
> 
> I'd like to move to using keep-state/check-state to get tighter
> filtering and also to allow outgoing UDP and the replies, which
> currently I block.
> 
> But I just can't get my head around how to do this. On the way
> out, should the dynamic rules be created to match the pre-NAT
> or post-NAT packets?
> 
> The man pages are good at explaining both NAT and dynamic
> rules but not both in combination.
> 

## Example ##
fxp0 = external nic
xl0 = internal nic
internal network = 10.10.10.0/24
internal traffic NAT'd to 1.2.3.4

## handle nat traffic
100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
200 divert 8668 ip from any to 1.2.3.4 in via fxp0

300 check-state

## dynamic rules for internal clients access to everything
## needed so un-nat'd return traffic can flow out the 
## internal nic to the internal clients
400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
500 allow udp from 10.10.10.0/24 to any keep-state via xl0

## dynamic rules allow natd alias address access to
## external resources
600 allow tcp from 1.2.3.4 to any keep-state out via fxp0
700 allow udp from 1.2.3.4 to any keep-state out via fxp0

You should also run natd with the "-deny_incoming" flag as an extra
defense against bogus packets.

good luck,
  greg
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3EE71EB3.5D675541>