From owner-freebsd-bugs Thu Aug 16 10:32:55 2001 Delivered-To: freebsd-bugs@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id D978737B40B for ; Thu, 16 Aug 2001 10:32:41 -0700 (PDT) (envelope-from cjc@earthlink.net) Received: from blossom.cjclark.org (dialup-209.245.128.59.Dial1.SanJose1.Level3.net [209.245.128.59]) by albatross.prod.itd.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id KAA17923; Thu, 16 Aug 2001 10:32:39 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f7GGlvt05018; Thu, 16 Aug 2001 09:47:57 -0700 (PDT) (envelope-from cjc) Date: Thu, 16 Aug 2001 09:47:57 -0700 From: "Crist J. Clark" To: mikescott@clara.net Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw Message-ID: <20010816094757.B4232@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <200108071530.f77FU2U76051@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108071530.f77FU2U76051@freefall.freebsd.org>; from mikescott@clara.net on Tue, Aug 07, 2001 at 08:30:02AM -0700 Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 07, 2001 at 08:30:02AM -0700, mikescott@clara.net wrote: > On 6 Aug 2001, at 16:14, David Hedley wrote: > > For this to work, you need to split your firewall rules between incoming and > > outgoing packets and divert them to natd at different times. No, there is a much easier way. $fwcmd add divert natd all from any to any via ${natd_interface} $fwcmd add check-state $fwcmd add pass ip from ${oip} to any out via ${oif} keep-state $fwcmd add pass ip from ${net} to any in via ${iif} keep-state Just create dynamic rules on packets going _in_ the internal interface(s). We now get two dynamic rules for each "connection," one using the translated source one using the private net address. > However, even though there is a workable solution, I'd still contend > the basic design is logically flawed -- it's the embedding of the nat > diversion into the firewall rules that requires that the rules be so > split: I'm no OS design expert, but I'm still prepared to stick my > neck out and say the nat should occur immediately data is > transferred to/from the device, in which case the firewall rules deal > only with one set of addresses and are much simpler. This would require NAT to take place in the kernel which is against one of the fundamental design assumptions of natd(8). natd(8) works the way it does for good reasons. However, it is not perfect, there are both pros and cons to the design. > I *think* this > is what happens with ipf, to which (in desperation :-) ) Yes. ipf(8) and ipnat(8) live in the kernel. This design also has pros and cons. > I've already > switched -- certainly the equivalent rules for ipf are much simpler > and seem to work as expected. (As an aside, I wonder why fbsd > offers two different firewalls? ipf seems to offer a superset of ipfw's > facilities, claims to be portable, and if my experience is anything to > go by, is easier to set up: why keep ipfw?) ipfw(8) is the native firewall. ipf(8) is externally maintained. I think the only real bug that might be here is that the default rc.firewall does not actually work with natd(8) and that is not what the original PR is about. Unless someone objects, I am going to close this PR later today. If someone feels the need to, a PR about rc.firewall can be submitted separately. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message