Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 4 Jun 2003 18:52:59 +0300
From:      Vandyuk Eugene <duke@irpen.kiev.ua>
To:        freebsd-security@freebsd.org
Subject:   Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT)
Message-ID:  <20030604185259.E29212@irpen.kiev.ua>
In-Reply-To: <20030602200857.T6733-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Mon, Jun 02, 2003 at 08:11:40PM -0300
References:  <20030602174758.3f85db72.vladg@vipnet.ro> <20030602200857.T6733-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Jun 02, 2003 at 08:11:40PM -0300, Fernando Gleiser wrote:
> On Mon, 2 Jun 2003, Vlad GALU wrote:
> 
> > 	Example one: IPF is compiled in kernel, IPFW is a module. In this case
> > IPFW stands 'outside' of IPF.
> > 	Example two: viceversa: the order in which they take action is reversed
> > too.
> 
> Are you sure? Last time I saw the code (almost a year ago) it didn't
> make a difference if they were loaded as modules or compiled in kernel.
> The hooks were in the same place.
> 
> > 	IPNAT is always 'outside' IPF.
> 
> Or, in other words, IPF always 'sees' the real IPs, not the NATed ones.
> 

I have done some tests with IPFW and IPF compiled in kernel and I was
confused. Packet flow was:

   OUTGOING:  IPF -> IPNAT -> IPFW
   INCOMING:  IPNAT -> IPF -> IPFW

As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?!
Rules matching in IPFW look very strange:

   add count ip from NAT_IP to any out
   add count ip from any to REAL_IP in

but in IPFilter it looks good:

   permit out from REAL_IP to any
   permit in from any to REAL_IP

   So I sugest that in kernel with IPFW+IPF compiled statefull filtering
not work in IPFW but only work in IPFilter ???
   I think it's wrong and it should be corrected in this way:

   OUTGOING:  IPF -> IPNAT -> IPFW
   INCOMING:  IPFW -> IPNAT -> IPF

   This flow of packets will give IPFW work with right statefull filtering
on NAT'ed packets via IPNAT. IPFW would always be 'outside' IPNAT. Also
this way will give more capabilities for building firewalls with all
power and flexibility of IPFW and IPFilter in one kernel.

With respect.                                                Eugene.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030604185259.E29212>