Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Jun 2000 19:42:15 +0300
From:      Ruslan Ermilov <ru@sunbay.com>
To:        John F Cuzzola <vdrifter@ocis.ocis.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: ipfw & keep-state
Message-ID:  <20000608194215.A1347@sunbay.com>
In-Reply-To: <Pine.LNX.4.21.0006080913220.4117-100000@ocis.ocis.net>; from vdrifter@ocis.ocis.net on Thu, Jun 08, 2000 at 09:17:49AM -0700
References:  <Pine.LNX.4.21.0006080913220.4117-100000@ocis.ocis.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Jun 08, 2000 at 09:17:49AM -0700, John F Cuzzola wrote:
> 
> Hi all,
> I'm interested in using the keep-state/check-state options with ipfw. I'm
> curious however what rules are dynamically created and whether I have
> control over them, specifically with divert rules. I use divert/natd
> heavily and I was wondering what happens with a rule like:
> 
> ipfw divert 7000 ip from any to 200.45.1.7
> ipfw divert 7000 ip from 192.168.3.2 to any keep-state
> 
> (natd would be listening on port 7000 providing static-NAT from 200.45.1.7
> to 192.168.3.2)
> 
If you put `check-state' rule before `keep-state', this will probably
be very interesting.  There is a common problem with firewalls/NATS.
People usually prohibit intranet traffic through external interface,
and at the same time use external interface for NAT purposes.  The
problem is that when IP packet comes back and is dealiased, it is
passed to firewall again as "coming in through public interface with
intranet destination address", and results in PR conf/13769.

I am going to test this right now, and commit the changes to rc.firewall
if this seems to work.


-- 
Ruslan Ermilov		Oracle Developer/DBA,
ru@sunbay.com		Sunbay Software AG,
ru@FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000608194215.A1347>