From owner-freebsd-security  Thu Jun  8  9:43: 1 2000
Delivered-To: freebsd-security@freebsd.org
Received: from whale.sunbay.crimea.ua (sunbay-10BASE-T.cris.net [212.110.130.67])
	by hub.freebsd.org (Postfix) with ESMTP id 6CB0237B89C
	for <freebsd-security@FreeBSD.ORG>; Thu,  8 Jun 2000 09:42:52 -0700 (PDT)
	(envelope-from ru@whale.sunbay.crimea.ua)
Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.9.3/1.13) id TAA02310; Thu, 8 Jun 2000 19:42:15 +0300 (EEST)
Date: Thu, 8 Jun 2000 19:42:15 +0300
From: Ruslan Ermilov <ru@sunbay.com>
To: John F Cuzzola <vdrifter@ocis.ocis.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: ipfw & keep-state
Message-ID: <20000608194215.A1347@sunbay.com>
Mail-Followup-To: John F Cuzzola <vdrifter@ocis.ocis.net>,
	freebsd-security@FreeBSD.ORG
References: <Pine.LNX.4.21.0006080913220.4117-100000@ocis.ocis.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.LNX.4.21.0006080913220.4117-100000@ocis.ocis.net>; from vdrifter@ocis.ocis.net on Thu, Jun 08, 2000 at 09:17:49AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jun 08, 2000 at 09:17:49AM -0700, John F Cuzzola wrote:
> 
> Hi all,
> I'm interested in using the keep-state/check-state options with ipfw. I'm
> curious however what rules are dynamically created and whether I have
> control over them, specifically with divert rules. I use divert/natd
> heavily and I was wondering what happens with a rule like:
> 
> ipfw divert 7000 ip from any to 200.45.1.7
> ipfw divert 7000 ip from 192.168.3.2 to any keep-state
> 
> (natd would be listening on port 7000 providing static-NAT from 200.45.1.7
> to 192.168.3.2)
> 
If you put `check-state' rule before `keep-state', this will probably
be very interesting.  There is a common problem with firewalls/NATS.
People usually prohibit intranet traffic through external interface,
and at the same time use external interface for NAT purposes.  The
problem is that when IP packet comes back and is dealiased, it is
passed to firewall again as "coming in through public interface with
intranet destination address", and results in PR conf/13769.

I am going to test this right now, and commit the changes to rc.firewall
if this seems to work.


-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message