From owner-freebsd-questions@FreeBSD.ORG Mon Jun 14 14:12:01 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B5FF16A4CE for ; Mon, 14 Jun 2004 14:12:01 +0000 (GMT) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id E3A2743D48 for ; Mon, 14 Jun 2004 14:12:00 +0000 (GMT) (envelope-from nullentropy@lineone.net) Received: from [192.168.1.102] (orbital.gotadsl.co.uk [81.6.215.230]) by smtp.nildram.co.uk (Postfix) with ESMTP id BCC122538C1 for ; Mon, 14 Jun 2004 15:11:36 +0100 (BST) Message-ID: <40CDB20F.2000806@lineone.net> Date: Mon, 14 Jun 2004 15:11:27 +0100 From: Robert Downes User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en, fr, en-us MIME-Version: 1.0 To: FreeBSD Questions Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW with NAT and keep-state X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jun 2004 14:12:01 -0000 There seems to be confusion as soon as IPFW is used for NAT and for stateful dynamic rules. My ruleset so far contains the below rules, and I wonder if someone can tell me if there's anything incorrect about them (with regard to correctly using NAT and dynamic rulesets): bash-2.05b# ipfw -a list 00100 3155 1100714 divert 8668 ip from any to any via rl0 00200 0 0 check-state 00300 200 25128 allow ip from me to me 00400 1991 131910 allow ip from 192.168.0.0/24 to any keep-state 00500 3928 2038665 allow ip from 192.168.1.0/24 to any keep-state 65535 1 338 deny ip from any to any I'm not asking if these rules are battleship secure - I'm sure I have a lot of work to do yet in creating a tigher ruleset. What I want to know is: are these rules correctly allowing NAT to work with dynamic rules, or is there some gaping security flaw that I'm missing? With the above rules, I can use the gateway machine to connect to the Internet (well, any website of my choice), and I can also use a machine on the 192.168.1 subnet to connect through the gateway to any website, mail server, etc. So NAT seems to be working. If I remove the keep-state option from the 192.168.1 line, then the LAN machine can send a request to a website, but never gets a reply. Removing the keep-state from the 192.168.0 line stops the gateway asking for pages. So the dynamic rule system seems to be working. So it would seem that NAT and dynamic rules are working harmoniously together. But how naive am I being? What might I be missing? Also, if I have got them working together correctly, why do I end up with a lot of packets denied by the `deny ip from any to any` rule? What are these few packets, and what tried to send them? Any ideas? (By The Way... I remember why I stopped using Usenet all those years ago - have you seen what's being done to c.u.b.freebsd.misc lately? Not the correct way to promote Windows and discredit Linux.) -- Bob