Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Jan 2001 15:18:17 -0800
From:      Steven Kehlet <kehlet@fisix.com>
To:        Rene de Vries <freebsd@canyon.demon.nl>
Cc:        Luigi Rizzo <rizzo@aciri.org>, freebsd-security@freebsd.org
Subject:   Re: statefull packet filter together with natd question
Message-ID:  <20010102151817.F59927@leviathan.techfuel.com>
In-Reply-To: <20001220232239.A1012@canyon.demon.nl>; from freebsd@canyon.demon.nl on Wed, Dec 20, 2000 at 11:22:39PM %2B0100
References:  <20001220184937.A788@canyon.demon.nl> <200012201757.eBKHvIb77566@iguana.aciri.org> <20001220232239.A1012@canyon.demon.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
[ moved from -hackers to -security ]

For whatever it's worth, I struggled with this same problem for an
entire day before giving up and using ipfilter.  It seems to me
that there is a fundamental problem with using the ipfw stateful
rules and natd (as I'm sure you discovered yourself):  the ordering
of translation needs to be reversed upon return, and I couldn't
seem to find a way to do that with ipfw.  That is, the ordering
should be:

out:
1. make dynamic rule via keep state
2. translate via natd

returning:
3. untranslate via natd
4. validate packet via dynamic rules 

But there is no way to do this with ipfw because outgoing processing
stops at step #1, preventing the packets from reaching the natd
rule.

Another sensible scenario might be:

out:
1. translate via natd
2. make dynamic rule via keep state

returning:  
3. validate packet via dynamic rules 
4. untranslate via natd

But now you're screwed the other direction: you can't do steps #3
then #4 on returning because processing stops at #3.

I too started getting desperate and tried a number of tricks like
having two natd rules (none of which worked, however) :-).  Please
correct me if my analysis is incorrect! :-)  I like the interface
of ipfw much better than ipf and would rather use it if possible.

Steve



On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote:
> Date: Wed, 20 Dec 2000 23:22:39 +0100
> From: Rene de Vries <freebsd@canyon.demon.nl>
> To: Luigi Rizzo <rizzo@aciri.org>
> Cc: freebsd-hackers@FreeBSD.ORG
> Subject: Re: statefull packet filter together with natd question
> 
> On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote:
> > > Currently I'm trying to move towards a statefull packet filter. When testing
> > > without nat all seems to work fine. But when I added natd (as the first
> > > rule) packets that were natd-ed on their way out had their return traffic
> > > blocked. The question is, what am I doing wrong?!?
> > 
> > nat changes addresses and then reinjects packets in the firewall.
> > Chances are that there is no dynamic rule matching the
> > packet after the translation.
> 
> This is what I know, the problem is how to nat at the right time. I played
> with two natting rules, one for incoming and one for outgoing traffic (to the
> same nat process) but I didn't got working. This made me think that there
> should be a simple solution to this problem.
> 
> -- 
> Rene de Vries                        http://www.tcja.nl mailto:rene@tcja.nl
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010102151817.F59927>