Date: Sat, 16 Feb 2002 22:09:39 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: FBSD <freebsd-questions@FreeBSD.ORG> Subject: Re: IPFW check-state rules Message-ID: <20020216220939.F48401@blossom.cjclark.org> In-Reply-To: <LPBBIGIAAKKEOEJOLEGOIELPCHAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Sat, Feb 16, 2002 at 11:07:05AM -0500 References: <20020216043650.F36782@blossom.cjclark.org> <LPBBIGIAAKKEOEJOLEGOIELPCHAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 16, 2002 at 11:07:05AM -0500, Joe & Fhe Barbish wrote:
> Thank you for the nice explanation of why it's not working.
> If there is a solution buried in your explanation I did not get it.
There was not.
> Could you be more to the point and just say what needs to be added
> or changed to get it to work.
natd(8) does not work easily with 'keep-state' rules. You cannot put
any dynamic rules before you divert to natd(8) (without some 'skip-to'
gymnastics) and have a working configuration. If you do, incoming
packets get accepted before being passed to natd(8), and nothing ever
gets to your NAT'ed LAN. If you place 'keep-state' rules after the
'divert' rule, you've seen what happens. The 'keep-state' rules see
packets after translation so incoming and outgoung packets that are
part of the same connection don't look like it. You can use a
'keep-state' rule on the internal interface to create dynamic rules
containing addresses on the NAT'ed LAN, but they won't work quite
right for the same reasons.
The answer you get most frequently (and it is not a really good one,
but generally good enough) is that when you mix natd(8) and stateless
ipfw(8) you end up with a stateful firewall anyway.
00100 drop ip from any to ${inet} in via ${oif}
00200 divert 8668 ip from any to any via ${oif}
00300 pass ip from any to ${inet} in via ${oif}
00500 pass tcp from me to any 53,80,5559 out via ${oif}
00600 pass udp from me to any 53 out via ${oif}
Packets that are part of a allowed, legitimate TCP connection will
pass rule 500 on the way out and 300 on the way back in. Packets that
you do not want out won't get out. Packets that are not part of a
valid TCP connection, will not get translated by natd(8) and will not
match 300 (this is where a stateless packet filter falls short on its
own). Spoofed packets get dropped by 100.
Note: I just wrote these off the top of my head so I may have
forgotten a detail, but you get the idea.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020216220939.F48401>