From owner-freebsd-ipfw Tue Aug 6 4:48:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEFEB37B400 for ; Tue, 6 Aug 2002 04:48:36 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0661B43E77 for ; Tue, 6 Aug 2002 04:45:51 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020806002453.TMSA221.sccrmhc02.attbi.com@blossom.cjclark.org>; Tue, 6 Aug 2002 00:24:53 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g760OqJK064608; Mon, 5 Aug 2002 17:24:52 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g760Ok0A064607; Mon, 5 Aug 2002 17:24:46 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Mon, 5 Aug 2002 17:24:45 -0700 From: "Crist J. Clark" To: Joe & Fhe Barbish Cc: Nick Rogness , FBIPFW Subject: Re: natd & keep-state Message-ID: <20020806002445.GB63528@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20020805180536.GA63145@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [CC list trimmed _way_ down.] On Mon, Aug 05, 2002 at 06:35:25PM -0400, Joe & Fhe Barbish wrote: > What I believe the original poster was referring to is > skipto 2000 check-state I see. Eww. > so all packets that have matches in the dynamic table will > go to the skipto rule instead of exiting the rules file. That makes some assumptions about the actions associated with each dynamic rule. A dynamic rule is just like any other rule, match and do the action specified in the rule. This would scan through the dynamic rules, match, ignore the action in the rule and do some other action. Obviously it could be done, but you're starting to treat dynamic rules differently than other rules which makes things even more confusing and complicated, IMHO. > At that skipto rule would be a divert nated rule via $xif followed by > Allow all from any to any that would exit the rules file. > This sure would simplify the rule gymnastics for keep-state > logic using natd. > > > > # Jump direct to outbound section. > $cmd 130 skipto 600 all from any to any out via $xif > > $cmd 210 divert natd all from any to any in via $xif > $cmd 212 skipto 500 check-state > $cmd 215 allow tcp from any to any 80 in via $xif setup keep-state > $cmd 291 deny log logamount 500 all from any to any > $cmd 500 allow all from any to any > > $cmd 600 skipto 690 check-state > $cmd 609 skipto 690 tcp from any to any 80 out via $xif setup keep-state > $cmd 610 skipto 690 tcp from any to $odns1 53 out via $xif setup keep-state > $cmd 611 skipto 690 udp from any to $odns1 53 out via $xif keep-state > $cmd 630 skipto 690 tcp from any to any 25,110 out via $xif setup keep-state > > $cmd 690 divert natd all from any to any out via $xif > $cmd 692 allow all from any to any out via $xif I still don't see why you would want to do that when, # We seem to have an internal interface with no restrictions $cmd pass ip from any to any via $iif # No spoofing! $cmd drop log ip from any to $internal_net in via $xif # Go to natd(8) and rewrite the addresses. $cmd divert natd all from any to any via $xif # Allow stateful TCP connections to carry on. $cmd pass tcp from any to $internal_net established via $xif # TCP services we allow out. $cmd pass tcp from me to any 80 out via $xif setup $cmd pass tcp from me to $odns1 53 out via $xif setup $cmd pass tcp from me to any 25,110 out via $xif setup # Allow stateful UDP "connections" to carry on. $cmd pass udp from $odns1 to $internal_net in via $xif # UDP services we allow out. $cmd pass udp from me to $odns1 53 out via $xif # Services offered on the internal network (must be a # redirect_{port|address} given to natd(8)). $cmd pass tcp from any to $internal_net 80 in via $xif $cmd pass tcp from $internal_net 80 to any out via $xif # Catch the rest and log. (Should almost all be stuff that # (a) tried to go out of $xif that was not on one of the # ports we allow, (b) an incoming connection from outside # $xif that is not allowed, or (b) anything else that came into # $xif from the outside which was not part of a "live connection" # known to natd(8). $cmd drop log ip from any to any Applies the same policy with the same protections (actually, I tightened them a tad assuming the firewall itself was actually supposed to be locked down a bit more), is less complicated, and uses fewer system resources. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message