From owner-freebsd-questions Sat Feb 16 22: 9:44 2002 Delivered-To: freebsd-questions@freebsd.org Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87]) by hub.freebsd.org (Postfix) with ESMTP id B178F37B417 for ; Sat, 16 Feb 2002 22:09:40 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020217060940.VLSR1214.rwcrmhc54.attbi.com@blossom.cjclark.org>; Sun, 17 Feb 2002 06:09:40 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1H69dl50220; Sat, 16 Feb 2002 22:09:39 -0800 (PST) (envelope-from cjc) Date: Sat, 16 Feb 2002 22:09:39 -0800 From: "Crist J. Clark" To: Joe & Fhe Barbish Cc: FBSD Subject: Re: IPFW check-state rules Message-ID: <20020216220939.F48401@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020216043650.F36782@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from barbish@a1poweruser.com on Sat, Feb 16, 2002 at 11:07:05AM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, Feb 16, 2002 at 11:07:05AM -0500, Joe & Fhe Barbish wrote: > Thank you for the nice explanation of why it's not working. > If there is a solution buried in your explanation I did not get it. There was not. > Could you be more to the point and just say what needs to be added > or changed to get it to work. natd(8) does not work easily with 'keep-state' rules. You cannot put any dynamic rules before you divert to natd(8) (without some 'skip-to' gymnastics) and have a working configuration. If you do, incoming packets get accepted before being passed to natd(8), and nothing ever gets to your NAT'ed LAN. If you place 'keep-state' rules after the 'divert' rule, you've seen what happens. The 'keep-state' rules see packets after translation so incoming and outgoung packets that are part of the same connection don't look like it. You can use a 'keep-state' rule on the internal interface to create dynamic rules containing addresses on the NAT'ed LAN, but they won't work quite right for the same reasons. The answer you get most frequently (and it is not a really good one, but generally good enough) is that when you mix natd(8) and stateless ipfw(8) you end up with a stateful firewall anyway. 00100 drop ip from any to ${inet} in via ${oif} 00200 divert 8668 ip from any to any via ${oif} 00300 pass ip from any to ${inet} in via ${oif} 00500 pass tcp from me to any 53,80,5559 out via ${oif} 00600 pass udp from me to any 53 out via ${oif} Packets that are part of a allowed, legitimate TCP connection will pass rule 500 on the way out and 300 on the way back in. Packets that you do not want out won't get out. Packets that are not part of a valid TCP connection, will not get translated by natd(8) and will not match 300 (this is where a stateless packet filter falls short on its own). Spoofed packets get dropped by 100. Note: I just wrote these off the top of my head so I may have forgotten a detail, but you get the idea. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message