From owner-freebsd-security  Mon Jun 11 11:35:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 8132137B435
	for <freebsd-security@FreeBSD.ORG>; Mon, 11 Jun 2001 11:35:09 -0700 (PDT)
	(envelope-from crist.clark@globalstar.com)
Received: from globalstar.com ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GES3LV00.FMW; Mon, 11 Jun 2001 11:34:43 -0700 
Message-ID: <3B250F5B.5D8A576E@globalstar.com>
Date: Mon, 11 Jun 2001 11:35:07 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.77 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Robin Huiser <robin@bequbed.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: FW:  ipfw, natd and routing question
References: <DEEJKCBNGEENMLAHPCPEOEPLCGAA.robin@bequbed.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Robin Huiser wrote:
> 
> Hi all,
> 
> I hope someone can help me with this problem I'm trying to solve. I think
> the answer is trivial, but so far I 'm stuck.
> 
> Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:
> 
>                                 -- DMZ
>                                /
>                EXT--FIREWALL---
>                                \
>                                 -- LAN
> 
> -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
> -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
> -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24
> 
> I use NAT to 'route' traffic from the LAN to the Internet
> I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet
> 
> So far, so good.
> 
> But... how do I prevent the NAT to 'translate' the IP addresses when a
> session is set up from the DMZ segment to a host somewhere on the Internet?
> I want all traffic to be routed from the DMZ subnet to the Internet...
> 
> I've tried to alter the natd rule, without any success.
> The rules I tried didn't work or had bad side effects, so I moved back to
> the standard natd rule, but everything gets NAT-ed now...
> 
> Some examples I tried:
> 
> #
> # The rule below works, but the it causes TCP/IP timeouts and a *very* slow
> # connection between the DMZ and EXT subnets...
> #
> ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any
> via ${natd_interface}

This should really work. I do not understand why it would slow things
down. It is having bad interactions with other rules? Traffic coming
out of your extranet does not go through natd(8). The return traffic
does go throught natd(8), but since there is no entry in the NAT table
generated by outgoing traffic, the packets are not modified. Is your
NAT table _huge?_ I would expect other performance issues if this
rule made trouble becasue of that.

> #
> # The rule below doesn't work at all (?) Don't know why...
> #
> ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via
> ${natd_interface}
> 
> Please advise...

This one will not work since packets coming back from the Internet
do not get run through natd(8).

However, the easiest thing to do is probably to put all of your rules
that apply to traffic to and from your extranet _before_ the divert(4)
rule. Depending on performance issues, this approach may be good (most 
of your traffic is from the extranet), bad (most traffic is from the 
private network), or not matter (if your firewall machine is over-powered
for the job, who cares, go with what is easiest to administrate).
-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message