From owner-freebsd-ipfw Wed Oct 2 5:18:32 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C1BE37B401 for ; Wed, 2 Oct 2002 05:18:30 -0700 (PDT) Received: from schurli.wu-wien.ac.at (schurli.wu-wien.ac.at [137.208.16.32]) by mx1.FreeBSD.org (Postfix) with SMTP id E655943E42 for ; Wed, 2 Oct 2002 05:18:24 -0700 (PDT) (envelope-from georg-ipfw@graf.priv.at) Received: (qmail 17390 invoked by uid 1001); 2 Oct 2002 11:51:43 -0000 Date: Wed, 2 Oct 2002 13:51:43 +0200 From: Georg Graf To: freebsd-ipfw@freebsd.org Subject: Natd plus statefull connections impossible? Message-ID: <20021002115143.GA54827@graf.priv.at> Mail-Followup-To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, this is a long story. Please be patient. There is a thing I want to do with stateful rules and nat, but I think it is impossible. I have a cable connection at home, and I may not run any services to the outside world (client only), but there is a fixed IP. But I want to run services available to _some_ hosts on the internet. There is a divert natd setup for 2-3 internal machines. For new services which per default bind to *.* I thought I could make a firewall that blocks my configuration lazyness with stateful firewall rules, so I dont have to bother turning on nfsd or something like that. The idea was "Have a nat setup and stateful rules for all coming from the natted network or the gateway machine to the Internet. Allow incoming from friends. Deny all the rest that does not have a dynamic rule. I failed. The internal interface is ed0 (192.168.0.1), the external where natd runs on is ep0 (195.34.150.181). All the rulesets I tried started with allow ip from any to any via lo0 and ed0. Look: 1) "allow keep state on packets before rewriting": i.e.: allow ip from any to any out via ep0 keep-state and then: divert natd ip from any to any out via ep0 BUT this rule (divert natd) never matches because the allow in the rule before already sends the packet out. So it is not possible to have stateful rules like (192.168.0.2 2141<-> 213.160.193.116 80) because I would have to divert and allow+keep in one rule which is impossible. 2) "allow keep-state on packets as are rewritten while passing out through ep0": divert natd ip from any to any out via ep0 and then allow ip from any to any out via ep0 Here the problem is with the packets coming back: If the check-state comes before the divert, then the packets which need to be rewritten to go to an internal host are ejected out of the chain too early. If the check-state comes after the divert, then the rules for the internal network do not match, because the rules are installed as (195.34.150.181 4711 <-> 213.160.193.116 80) and do not match (192.168.0.2 4711 <-> 213.160.193.116 80) for example. 3) I also tried to put divert and keep-state in one rule, but apparently this is nonsense. The dynamic rules are needed for a decision if a packet should be denied or allowed. Anyhow, the result was funny: The packets seemed to have an endless loop in line 500: ipfw -f flush ipfw add 100 allow ip from any to any via lo0 ipfw add 200 allow ip from any to any via ed0 ipfw add 300 allow ip from any to any via wi0 ipfw add 400 check-state ipfw add 500 divert natd log logamount 0 ip from me to any out via ep0 keep-state ipfw add 600 allow log logamount 0 ip from me to any out via ep0 keep-state 4) Let's try one more: Maybe we can have the following for incoming packets from the internet: check-state (for connections back to the gateway host) divert check-state (for connections back to the natted network) Here we would have to allow+keep-state the outgoing packet from the natted network while it comes in via ed0, allow keep-state from 192.* to internet in via ed0 divert outgoing through ep0 allow + (keep-state only for the packets originating from the gateway machine) out through ep0 BUT in the step mentioned last there is no possibility to decide which one originated from the gateway because its after rewriting. Questions: a) is there a way to do the thing I want at all with ipfw? b) if no, is there a proof? c) Did I miss something obvious? (Maybe the intelligent use of skipto?) d) Did I miss something not so obvious? Thank for your brain! George -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message