From owner-freebsd-security@FreeBSD.ORG Wed Jun 11 05:21:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AFA437B401 for ; Wed, 11 Jun 2003 05:21:11 -0700 (PDT) Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C53A43F75 for ; Wed, 11 Jun 2003 05:21:10 -0700 (PDT) (envelope-from greg.panula@dolaninformation.com) Received: (qmail 20071 invoked by uid 0); 11 Jun 2003 12:21:10 -0000 Received: from greg.panula@dolaninformation.com by proxy by uid 82 with qmail-scanner-1.16 ( Clear:. Processed in 1.638095 secs); 11 Jun 2003 12:21:10 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: subscriber@insignia.com,freebsd-security@freebsd.org X-Qmail-Scanner: 1.16 (Clear:. Processed in 1.638095 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 11 Jun 2003 12:21:07 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 11 Jun 2003 07:21:07 -0500 Sender: pang@FreeBSD.ORG Message-ID: <3EE71EB3.5D675541@dolaninformation.com> Date: Wed, 11 Jun 2003 07:21:07 -0500 From: Greg Panula Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Subscriber References: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: greg.panula@dolaninformation.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Jun 2003 12:21:11 -0000 Subscriber wrote: > > I've been using ipfw for a while to create a router with NAT > and packet filtering, but have never combined it with > stateful filtering, instead using things like "established" to > accept incoming TCP packets which are part of a conversation > initiated from the "inside". > > I'd like to move to using keep-state/check-state to get tighter > filtering and also to allow outgoing UDP and the replies, which > currently I block. > > But I just can't get my head around how to do this. On the way > out, should the dynamic rules be created to match the pre-NAT > or post-NAT packets? > > The man pages are good at explaining both NAT and dynamic > rules but not both in combination. > ## Example ## fxp0 = external nic xl0 = internal nic internal network = 10.10.10.0/24 internal traffic NAT'd to 1.2.3.4 ## handle nat traffic 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 200 divert 8668 ip from any to 1.2.3.4 in via fxp0 300 check-state ## dynamic rules for internal clients access to everything ## needed so un-nat'd return traffic can flow out the ## internal nic to the internal clients 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 500 allow udp from 10.10.10.0/24 to any keep-state via xl0 ## dynamic rules allow natd alias address access to ## external resources 600 allow tcp from 1.2.3.4 to any keep-state out via fxp0 700 allow udp from 1.2.3.4 to any keep-state out via fxp0 You should also run natd with the "-deny_incoming" flag as an extra defense against bogus packets. good luck, greg