Date: Tue, 25 Jan 2000 12:10:00 -0500 (EST) From: Jim Flowers <jflowers@ezo.net> To: freebsd-security@freebsd.org Subject: Skip, Natd, Ipfw, and VPN Nomads (long) Message-ID: <Pine.BSI.3.91.1000123203002.10162A-100000@lily.ezo.net>
next in thread | raw e-mail | index | archive | help
Skip and natd can be combined in a single FreeBSD box using ipfw rules to control packet flow to natd in useful ways. Internal users can browse the Internet or access resources on multiple remote VPN segments. External clients can access internal servers through natd port redirects. Adding nomad capability complicates the setup and two FreeBSD boxes are required. A nomad is a client from anywhere on the Internet with an ephimeral IP# that is not known in advance. When packets from the nomad are first processed by skip the client is validated from its KeyID. The corresponding IP# is entered in the access control list. Unfortunately, it is not possible to use ipfw rules to differentiate between response packets outbound to the nomad and internal client query packets outbound to Internet servers. This is singularly important when the nomad is a Windows based host that is to join an internal NT domain. The logon server response packets must bypass natd or the logon attempt will fail with a "failed to find logon server" error report. Packets from internal clients browsing the Internet, on the other hand, must go through natd to obtain a routable return address. The skip procedure provides for such a differentiation as it maintains a table of all nomad IP numbers and will process those that match, passing on those that do not. The skip procedure, however, follows natd in the outbound direction so it is not sufficient for this duty. Thus the need for two boxes, the inner box configured with skip - the outer box configured with natd. Fortunately, skip packets will pass through the natd process without alteration in both directions in the outer box. For our wireless Internet connections, that is not a burden as the wi0 interface driver is not compatable with the skip procedure and a second box is necessary on that account alone. One added refinement. Once a Windows nomad is logged on to an NT domain, it can use network neighborhood to browse hosts on the local network segment. In order for the same capability to exist for remote network segments, the decoded inbound packets must be 'educated' before forwarding to the target host so that responses return to the skiphost that was used to validate the nomad. One way to do this is to use inbound natd so that the decoded packets have the source address changed to that of the skiphost before forwarding to the target host. In fact, I prefer this method when the skiphost is located on a perimeter network acting as a VPN bypass around the inside firewall interface (for secure packets only). For systems relying on natd for security, I use the more traditional natd approach (outbound interface) on the skiphost with specific ipfw rules to divert only those packets destined for a remote VPN network segment that both arrive and leave on the same interface. A diagram will help to make the above concepts clearer. ========================Internet | [wi0] | ipfw - divert(any) -> natd(wi0) | Gw/Nat route | ipfw | [ed1] | | ===============intermediate network | [ed1] | ipfw - divert(remote only) ->natd(ed1) | VAC/Nomads skip | route | ipfw | [ed2] | | | =================private network | | [PDC] route indicates kernel routing table PDC indicates primary domain controller for NT network. Gw/Nat - gateway/nat VAC/Nomads - VPN access controller / Nomad Server ACL - access control list natd/skip notes 1. for Gw/Nat, skip packets will pass through natd unchanged in both directions. 2. for VAC/Nomads, inbound skip packets will pass through natd unchanged to be unpacked by skip and forwarded as determined by route. 3. Packets received on the ed1 interface, directed to remote networks will be processed by skip in accordance with the destination ACL. 4. Packets generated by internal clients browsing the Internet will be passed up by skip (no acl match) to Gw/Nat for processing by natd (divert match any/any) Skip, natd and ipfw all operate reliably, consistently and repeatably once the relationships are understood and exploited properly. Jim Flowers <jflowers@ezo.net> #4 ISP on C|NET, #1 in Ohio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.1000123203002.10162A-100000>