Date: Thu, 11 Apr 2002 10:42:58 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: freebsd-bugs@FreeBSD.ORG Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Message-ID: <20020411104257.A38831@blossom.cjclark.org> In-Reply-To: <LPBBIGIAAKKEOEJOLEGOKEMJCNAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Thu, Apr 11, 2002 at 08:19:33AM -0400 References: <20020410220816.A37066@blossom.cjclark.org> <LPBBIGIAAKKEOEJOLEGOKEMJCNAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 11, 2002 at 08:19:33AM -0400, Joe & Fhe Barbish wrote: > >Right, everything in the sample works fine. > Except the keep-state rules. > > >It doesn't work the way you want them to. They work just as they are > >advertised. There are no bugs. This is an enhancement or change > >request. > > Call it what you want, ipfw natd does not work with keep-state rules. > I have proved that fact with the test docs I sent you. You have only shown your rules don't work. > >If someone wants to do this, they can try, but it is going to be a > >mess. natd(8) lives separate from the ipfw(8) rules for a > >reason. Trying to get natd(8) to know about firewall rules breaks the > >whole model. If someone really wants to do this, they might be better > >off starting from scratch and doing it all in the kernel. > > I am just using the PR as the vehicle to inform the ipfw maint team > about a problem, it's up to them to take corrective action or not. It is a well known issue. There is nothing to correct although some developer somewhere may wish to provide alternate functionality. > >If I recall the thread on the mail lists, at least lugui and ru told > >you the same thing. > > You recall wrong. You are the only person to post to the questions > list on this PR. No, I was thinking of threads on other lists. Mainly, I was recalling when I explained this whole matter to you previously on -questions with the thread that starts with this message, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=2414241+0+archive/2002/freebsd-questions/20020217.freebsd-questions As for luigi and ru, I was thinking of remarks they made in these other threads that delt with the same issue, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=8742+0+archive/2002/freebsd-ipfw/20020217.freebsd-ipfw http://docs.freebsd.org/cgi/getmsg.cgi?fetch=4468+0+archive/2002/freebsd-ipfw/20020217.freebsd-ipfw (Both of these threads started in the same week so see, http://docs.freebsd.org/mail/archive/2002/freebsd-ipfw/20020217.freebsd-ipfw.html For an overview.) > >If you can find someone who wants to do the work, great. I don't think > >any of the current ipfw(8) and natd(8) hackers see much of a problem. > > That is not for you to decide. > Leave the pr open and let the team decide for them selves, just like any > other pr. As the messages above show, luigi, ru, and I don't see a real problem that needs fixing (or at least don't see a tractable problem that can be realistically fixed). I think that's enough opinions from developers who care about ipfw(8) to close the PR. > >If you want to make this work, you can, just not with the rules you are > using. > > If you are saying there is some other way to use the keep-state option that > will work with natd, then why have you not said so before this. I thought we had gone through this on the previous -questions thread. One of the possible approaches is to use 'skipto' rules so that packets crossing the external interface get 'check-state'ed before natd(8) in one direction and after natd(8) in the other. Then the addresses match up. Another trick, and the one I used to use, was to create a 'keep-state' rule as the packet crossed the internal interface _and_ the external interface. Packets on the external interface matched one rule or the other depending on the direction. However, this effectiveness of this method depends on the usage pattern; there can be timeout issues. Anyway, I really don't see the point of all of this. You are running ppp(8). Why not just do NAT in ppp(8)? It's the exact same code, and it does not have any of these issues. > If your saying to return to using stateless rules and setup/established then > that's un-acceptable as that results in a firewall that's way to easy > to penetrate. I also explained this to you in the -questions thread. When you use natd(8) in conjunction with stateless filter rules, the firewall is _not_ easy to penetrate. A stateless firewall combined with NAT effectively makes a stateful firewall. > That's the reason people used IPFILTER before keep-state > option came out. It's also a reason people have come to think of NAT as a security feature rather than what it really was created for. People used NAT, even when they didn't need to, to make stateless packet filters stateful. > Ipfw keep-state works correctly with user ppp -Nat so I will stay with it. Great. Everybody happy. > If nothing else you need to change the natd man page info to state it does > not work with keep-state rules. > If you want me to create an pr to the doc group, I can do that. Everything works just like the documentation says it does. No where in ipfw(8) does it ever mention natd(8), so no where does it describe incorrect ways to use natd(8) and 'keep-state' rules. The natd(8) manpage never mentions 'keep-state' rules, so it doesn't mislead people either. What documentation needs changing? I don't see much point in adding documentation to manpages that says, "If you try to combine rules and features that do not work well together, things will not work well." On the other hand, a FAQ item on this is easier to point to than having to explain it everytime. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020411104257.A38831>