Date: Mon, 5 Aug 2002 17:24:45 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: Nick Rogness <nick@rogness.net>, FBIPFW <freebsd-ipfw@FreeBSD.ORG> Subject: Re: natd & keep-state Message-ID: <20020806002445.GB63528@blossom.cjclark.org> In-Reply-To: <MIEPLLIBMLEEABPDBIEGKEJFCHAA.barbish@a1poweruser.com> References: <20020805180536.GA63145@blossom.cjclark.org> <MIEPLLIBMLEEABPDBIEGKEJFCHAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[CC list trimmed _way_ down.]
On Mon, Aug 05, 2002 at 06:35:25PM -0400, Joe & Fhe Barbish wrote:
> What I believe the original poster was referring to is
> skipto 2000 check-state
I see. Eww.
> so all packets that have matches in the dynamic table will
> go to the skipto rule instead of exiting the rules file.
That makes some assumptions about the actions associated with each
dynamic rule. A dynamic rule is just like any other rule, match and do
the action specified in the rule. This would scan through the dynamic
rules, match, ignore the action in the rule and do some other
action. Obviously it could be done, but you're starting to treat
dynamic rules differently than other rules which makes things even
more confusing and complicated, IMHO.
> At that skipto rule would be a divert nated rule via $xif followed by
> Allow all from any to any that would exit the rules file.
> This sure would simplify the rule gymnastics for keep-state
> logic using natd.
>
>
>
> # Jump direct to outbound section.
> $cmd 130 skipto 600 all from any to any out via $xif
>
> $cmd 210 divert natd all from any to any in via $xif
> $cmd 212 skipto 500 check-state
> $cmd 215 allow tcp from any to any 80 in via $xif setup keep-state
> $cmd 291 deny log logamount 500 all from any to any
> $cmd 500 allow all from any to any
>
> $cmd 600 skipto 690 check-state
> $cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state
> $cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state
> $cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state
> $cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state
>
> $cmd 690 divert natd all from any to any out via $xif
> $cmd 692 allow all from any to any out via $xif
I still don't see why you would want to do that when,
# We seem to have an internal interface with no restrictions
$cmd pass ip from any to any via $iif
# No spoofing!
$cmd drop log ip from any to $internal_net in via $xif
# Go to natd(8) and rewrite the addresses.
$cmd divert natd all from any to any via $xif
# Allow stateful TCP connections to carry on.
$cmd pass tcp from any to $internal_net established via $xif
# TCP services we allow out.
$cmd pass tcp from me to any 80 out via $xif setup
$cmd pass tcp from me to $odns1 53 out via $xif setup
$cmd pass tcp from me to any 25,110 out via $xif setup
# Allow stateful UDP "connections" to carry on.
$cmd pass udp from $odns1 to $internal_net in via $xif
# UDP services we allow out.
$cmd pass udp from me to $odns1 53 out via $xif
# Services offered on the internal network (must be a
# redirect_{port|address} given to natd(8)).
$cmd pass tcp from any to $internal_net 80 in via $xif
$cmd pass tcp from $internal_net 80 to any out via $xif
# Catch the rest and log. (Should almost all be stuff that
# (a) tried to go out of $xif that was not on one of the
# ports we allow, (b) an incoming connection from outside
# $xif that is not allowed, or (b) anything else that came into
# $xif from the outside which was not part of a "live connection"
# known to natd(8).
$cmd drop log ip from any to any
Applies the same policy with the same protections (actually,
I tightened them a tad assuming the firewall itself was actually
supposed to be locked down a bit more), is less complicated, and uses
fewer system resources.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020806002445.GB63528>