Date: Mon, 18 Feb 2002 09:46:12 -0500 From: "Joe & Fhe Barbish" <barbish@a1poweruser.com> To: "Will Froning" <wfroning@angui.sh> Cc: "FBSD" <freebsd-questions@FreeBSD.ORG> Subject: RE: natd and dynamic rules Message-ID: <LPBBIGIAAKKEOEJOLEGOKEONCHAA.barbish@a1poweruser.com> In-Reply-To: <20020217224150.U48401@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Boy you sure dug deep into ipfw looking for a solution to
your problem. The real problem is natd and ipfw were not
designed to work together. IPFW was designed as a firewall
where the ip addressed of all the machines behind the firewall
use public ip addresses assigned from your isp. In this
configuration ipfw has no problems making matches in the
dynamic table for packet flow. When the natd divert rule is
added to the ipfw rule set now you are converting ip address
(from public to private on packets coming in from the internet
and converting private ip address to public for packets leaving
the lan for the internet) right in the middle of checking the
dynamic table for matches by ip address and flow direction.
This ip address translation in the middle of ipfw creates
mismatches in the dynamic table. This is a because ipfw and
natd were never designed to work together and you can not do
any thing about it. Many many users reach this point using the
advanced check-state/keep-state stateful rules and go back to
simple stateful rule set using established/setup which seams to
work better with natd in the rule set.
The real solution here is to remove natd from the ipfw rules set
and use user ppp -nat to do the ip address translation before the
packets get handed off to ipfw. This way ipfw all ways sees the
same ip address that created the dynamic table rule entry.
I also believe natd will run standalone and does not need ipfw to
trigger it. So if you enable natd in rc.conf before ipfw and remove
the divert rule from the ipfw rules set you will accomplish the same
thing as using user ppp -nat.
I used user ppp -nat because I was all ready using user ppp and did
not want to start another permanent running task.
I do not know why all the sample ipfw rules one finds in the FBSD
Documentation always have the divert rule in it when this just
creates problems. This needs to be changed.
Give this a try and please let me know the results.
Joe
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Crist J. Clark
Sent: Monday, February 18, 2002 1:42 AM
To: Will Froning
Cc: questions@FreeBSD.ORG
Subject: Re: natd and dynamic rules
On Sun, Feb 17, 2002 at 08:13:51PM -0800, Will Froning wrote:
> [please CC me on replies, thanks]
>
> I have an issue with natd and my dynamic ipfw rules. Here goes.
>
> I recently implemented natd on my FBSD4.5 firewall. Here are the
> relevant ipfw rules (internal ip=192.168.100.1):
>
> 01400 divert 8668 ip from any to any via dc0
> 01500 check-state
> 01600 deny log tcp from any to any established
> 01700 allow tcp from ${oip} to any keep-state out setup
> 02800 allow ip from 192.168.100.0/24 to any keep-state via dc1
>
> When I start a ssh session from my firewall to my mail server the
> dynamic rule gets the correct lifetime value from
> net.inet.ip.fw.dyn_ack_lifetime.
>
> When I start a ssh session from 192.168.100.2 to my firewall's
> internal interface, I again get the correct lifetime value from
> net.inet.ip.fw.dyn_ack_lifetime.
>
> When I start a ssh session from 192.168.100.2 to a remote machine, the
> packet gets through just fine. But when the dynamic rules come up I
> was suspecting both 2800 and 1700 to have the same lifetime value.
> That's not the case. It seems when natd sends the packet out, the
> outgoing packet gets it's lifetime value from
> net.inet.ip.fw.dyn_syn_lifetime NOT net.inet.ip.fw.dyn_ack_lifetime!
>
> So my questions are these:
>
> 1) Is this purposely done by implementation or is this a bug in either
> ipfw or natd?
>
> 2) If this is a "feature", is there any way to change this to have
> both rules look at the same lifetime value?
It always seems like questions come in groups.
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=13412+0+archive/2002/freebsd-ne
t/20020217.freebsd-net
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=2858187+0+archive/2002/freebsd-
questions/20020217.freebsd-questions
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LPBBIGIAAKKEOEJOLEGOKEONCHAA.barbish>