Date: Mon, 15 May 2000 10:57:51 +0200 From: Marc Silver <marcs@draenor.org> To: Nik Clayton <nik@freebsd.org> Cc: freebsd-doc@freebsd.org Subject: Re: ipfw and nat over ppp documentation Message-ID: <20000515105751.H47098@draenor.org> In-Reply-To: <20000421194133.C30157@catkin.nothing-going-on.org>; from nik@freebsd.org on Fri, Apr 21, 2000 at 07:41:33PM %2B0100 References: <20000414210740.U19472@draenor.org> <20000421194133.C30157@catkin.nothing-going-on.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hey Nik, ( and others ) > Thanks for this. However. . . (there's always a "however" :-) ) > > I've got a couple of questions. Perhaps if you could answer them in the > document it would be more useful? I have answered all these questions on the website (http://draenor.org/ipfw) but have put them here for convenience as well. > 1. Why are you using natd, instead of PPP's built in address translation > facilities? What are the pros and cons of each? Answer: I'll have to be honest and say there's no definitive reason why I use ipfw and natd instead of the built in ppp filters. From the discussions I've had with people the consensus seems to be that while ipfw is certainly more powerful and more configurable than the ppp filters, what it makes up for in functionality it loses in being easy to customise. One of the reasons I use it is because I prefer firewalling to be done at a kernel level rather than by a userland program. (is that answer ok -- I wasn't sure what you wanted from this one) > 2. [ This is the kicker ] Suppose you're using nat (either in PPP, or > with natd) to run some private net IP addresses internally. How do > you firewall them? > > It's my understanding (and I haven't done this, so I could be wrong) > that if you are using 192.168.1/24 internally then you can't do > something like > > $fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via tun0 > > as the address translation happens to incoming packets *before* the > firewall gets to intercept them. Answer: The simple answer is No. The reason for this is that natd is doing address translation for ANYTHING being diverted through the tun0 device. As far as it's concerned incoming packets will speak only to the dynamically assigned IP address and NOT to the internal network. Note though that you can add a rule like "$fwcmd add deny all from 192.168.0.4:255.255.0.0 to any via tun0" which would limit a host on your internal network from going out via the firewall. > 3. From a text point of view it looks fine. Would you care to run it > past some people on the security mailing list, so they can make sure > the advice is sound from a security perspective as well? I have mailed this to freebsd-security and the general answer was that the rules are secure. There were one or two suggestions on how to improve rules, and I have integrated those that were relevant. > Any thoughts? And thanks for taking the time to write this up. Thank you for taking the time to look at it. Will you let me know if you can use this at all? Cheers, Marc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000515105751.H47098>