Date: Wed, 3 Jan 2001 02:32:26 -0800 (PST) From: Luigi Rizzo <rizzo@aciri.org> To: kehlet@fisix.com (Steven Kehlet) Cc: freebsd@canyon.demon.nl, rizzo@aciri.org, freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <200101031032.f03AWQ479661@iguana.aciri.org> In-Reply-To: <20010102151817.F59927@leviathan.techfuel.com> from Steven Kehlet at "Jan 2, 2001 3:18:17 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> entire day before giving up and using ipfilter. It seems to me > that there is a fundamental problem with using the ipfw stateful i think you are making the wrong assumption -- you can create the dynamic rule and divert to natd by putting the 'keep-state' option into the 'divert natd' rule (step 1&2 of your first example). cheers luigi > rules and natd (as I'm sure you discovered yourself): the ordering > of translation needs to be reversed upon return, and I couldn't > seem to find a way to do that with ipfw. That is, the ordering > should be: > > out: > 1. make dynamic rule via keep state > 2. translate via natd > > returning: > 3. untranslate via natd > 4. validate packet via dynamic rules > > But there is no way to do this with ipfw because outgoing processing > stops at step #1, preventing the packets from reaching the natd > rule. > > Another sensible scenario might be: > > out: > 1. translate via natd > 2. make dynamic rule via keep state > > returning: > 3. validate packet via dynamic rules > 4. untranslate via natd > > But now you're screwed the other direction: you can't do steps #3 > then #4 on returning because processing stops at #3. > > I too started getting desperate and tried a number of tricks like > having two natd rules (none of which worked, however) :-). Please > correct me if my analysis is incorrect! :-) I like the interface > of ipfw much better than ipf and would rather use it if possible. > > Steve > > > > On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote: > > Date: Wed, 20 Dec 2000 23:22:39 +0100 > > From: Rene de Vries <freebsd@canyon.demon.nl> > > To: Luigi Rizzo <rizzo@aciri.org> > > Cc: freebsd-hackers@FreeBSD.ORG > > Subject: Re: statefull packet filter together with natd question > > > > On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote: > > > > Currently I'm trying to move towards a statefull packet filter. When testing > > > > without nat all seems to work fine. But when I added natd (as the first > > > > rule) packets that were natd-ed on their way out had their return traffic > > > > blocked. The question is, what am I doing wrong?!? > > > > > > nat changes addresses and then reinjects packets in the firewall. > > > Chances are that there is no dynamic rule matching the > > > packet after the translation. > > > > This is what I know, the problem is how to nat at the right time. I played > > with two natting rules, one for incoming and one for outgoing traffic (to the > > same nat process) but I didn't got working. This made me think that there > > should be a simple solution to this problem. > > > > -- > > Rene de Vries http://www.tcja.nl mailto:rene@tcja.nl > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-hackers" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101031032.f03AWQ479661>