Date: Fri, 30 Jan 2015 12:05:07 +0300 From: Lev Serebryakov <lev@FreeBSD.org> To: Julian Elischer <julian@freebsd.org>, freebsd-net@freebsd.org Subject: Re: ipfw, nat and stateful firewall: why "keep-state" on "skipto" works at all and how do this properly? Message-ID: <54CB4943.4050104@FreeBSD.org> In-Reply-To: <54CAED70.1080501@freebsd.org> References: <54CAD234.3020407@FreeBSD.org> <54CAED70.1080501@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 30.01.2015 05:33, Julian Elischer wrote: >> 12700 skipto 12900 ip from any to any keep-state 12800 deny ip >> from any to any 12900 nat 1 ip from any to any out 12999 allow ip >> from any to any >> >> And rules for inbound ones are: >> >> 11000 deny ip from any to not me 11500 nat 1 ip from any to any >> 11510 check-state 11600 allow tcp from any to me ssh,http setup >> keep-state 11999 deny ip from any to any > ok so the dynamic rule is created on the outgoing packet, and > associated with skipto 12900 which sets up a NAT session. > > on a later incoming packet, the rule 11500 is hit first so the > packets are NAT'd back, and then their state is compared to that > stored in the outgoing path, and if they match, they go to 12900 > where they are not checked again becasue they are not 'out' > packets. so it falls through to 12999 and is allowed in. (in its > changed form). packets that are not in a known session fall through > teh check-state and are dropped. > > it all looks ok to me. kinda cute actually. Not cute at all for me, as 12900 needs "out" (it is already in "out" group of rules!) and incoming packet is jumped to outbound section :) > It would be really cool if state could hold the NAT'd form of the > packets as well. but what you have above is really kinda cute, and > seems to work as far as I can read. what "other filtration" do you > want? Other filtration is hypothetical now, but I don't like this "skip -> nat with additional "redundant" check -> allow" pattern. > I always do what is done here and separate inwards and outwards > packets for the external interface into two different sets of > rules (and another set for other interfaces). Yep, it is exactly what I do, these two groups of rules are not only rules, of course. - -- // Lev Serebryakov AKA Black Lion -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQJ8BAEBCgBmBQJUy0lDXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGOTZEMUNBMEI1RjQzMThCNjc0QjMzMEFF QUIwM0M1OEJGREM0NzhGAAoJEOqwPFi/3EePgH4P+wWTLKxIhvRk1oD3GJqs4GHH d7vf+JoY1S2RDOJHBvNGfyc42YSBn6ubtIs2+dG/si9QzzmO57LFMPwiWFKRbPn4 rzJJ6qox91VMwfFnaDe1sceN072Dw5lbzrZN/AcTUZHBRpkGyKY6XHGamyZhMQzy pDlE0z1tYmnUwJXk7uQa5CitqKkVRozS2DWxpTPhTyfJbYASja68+h1aoRw7vobV mfKYOQpC+m2NHt8O2kT5S9XROAbDsTVtz9tXwqveJjsoBgAKgSamqp/u2YuLbZIy +ioYUHUbuJI1cfHEvpUvcnsZnx83TrIllDTso9WvWK7WRVzTkKnZEakMu3cMqW9S rVnFxRRklMwpbI+VoRY5BSjjdQ25iZlW0AGCgvgMdWstY/dM8Kv1xIdk92b2mAHR 6KlsnVaYPzf5R4gdjFlA6GVgiPhVW2o1/l9ynMZn53wETAHQGWm5pVbTmKWQqp3T ng6SxU7loZNIXHFFEnY+4Gk5e/Fg9qEOKFiKexPQBFD0mSlX0jMCAx/sMIiJPNm7 iU9Ip+MxGQSm7FgJ+GaRGXh3eSsX9/hphVewl6swyrjLkqVQayLRo+UrgwlA2jhw Ii4/XtktupWHMLmZPKXgGDDcRzXQ+PVQsLSdNHDnlNwIFS6Ss0ma+sPoBJM3wQKg SjHn11Rs6CpoHzRfn0oF =NXsa -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54CB4943.4050104>