From owner-freebsd-questions Mon Dec 15 14:44:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA22918 for questions-outgoing; Mon, 15 Dec 1997 14:44:32 -0800 (PST) (envelope-from owner-freebsd-questions) Received: from awfulhak.demon.co.uk (awfulhak.demon.co.uk [158.152.17.1]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA22844 for ; Mon, 15 Dec 1997 14:43:20 -0800 (PST) (envelope-from brian@awfulhak.org) Received: from gate.lan.awfulhak.org (localhost [127.0.0.1]) by awfulhak.demon.co.uk (8.8.7/8.8.7) with ESMTP id VAA10644; Mon, 15 Dec 1997 21:55:53 GMT (envelope-from brian@gate.lan.awfulhak.org) Message-Id: <199712152155.VAA10644@awfulhak.demon.co.uk> X-Mailer: exmh version 2.0zeta 7/24/97 To: Font cc: questions@FreeBSD.ORG Subject: Re: natd and ipfw, how do they work together? In-reply-to: Your message of "Mon, 15 Dec 1997 10:34:00 CST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 15 Dec 1997 21:55:53 +0000 From: Brian Somers Sender: owner-freebsd-questions@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I am a typical user of natd, using a machine with two interfaces to > connect my private network with the Internet. I am also using the ipfw > firewall software. This is all under 2.2.5-RELEASE. > > My question is, if I let a few machines on the private network access the > Internet (but not others), how do I make sure that the firewall still > functions when I am using natd? > > For instance, let's say an internal nameserver at 192.168.1.1 is allowed > to get out to the Internet for DNS queries, using the firewall/gateway at > 192.168.1.2. I would allow this with > > ipfw add divert natd udp from 192.168.1.1 to any 53 via fxp1 > > where fxp1 is my outside interface on the firewall running ipfw. But when > I want the result to come back, I have to send the packet back through > natd again for translation. Until it's translated, though, I don't know > what host it's for! Therefore something like > > ipfw add divert natd udp from any to 192.168.1.1 53 via fxp1 > > won't work, because until natd translates fxp1's IP to 192.168.1.1, such a > rule has no meaning. Hence my question. > > When natd does its translation, is the translated packet resent as if it > came from the outside again, only with internal addresses properly > inserted? Or after a packet goes through natd, does it just go to its > destination without delay? > > If the latter is the case, then I really need two firewalls, one to > prevent unauthorized traffic from leaving the network, and one to perform > natd on and to prevent unauthorized traffic from entering the network. > > This is a pretty new experience for me, as we just got our T1, so if I've > explained anything badly, please feel free to ask for more details. Each incoming packet is subjected to the firewalling rules. When one of these rules says ``divert'', the packet is sent to natd and no further firewall rules are applied. The kernel is finished with the packet. If natd chooses to re-insert the packet into the incoming packet stream (which it always does), it's again subjected to the firewalling rules, but *ignoring* the divert this time 'round. The result is that if you put the divert rules at the start of your ipfw list, the remaining rules get to see the un-aliased packet. There are some regular arguments about whether the re-inserted packet should be only subjected to the rules *after* the divert.... Either way, IMHO, you should always put your divert rules first, then you get to firewall what's *actually* being routed rather than what it looks like to the outside world. Outgoing packets are basically the same. Divert them first and you'll get to firewall the real scenario rather than the fake ``outside world'' view. > Thanks, > > dw > > A bug in my MUA causes news.announce.newusers font > to be sent to beneficiaries and senders of UCE/SPAM. @ > mcs.net > Wishes are like dishes. > -- Brian , , Don't _EVER_ lose your sense of humour....