From owner-freebsd-security@FreeBSD.ORG Tue Jun 24 09:56:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A3D037B401 for ; Tue, 24 Jun 2003 09:56:10 -0700 (PDT) Received: from highland.isltd.insignia.com (highland.isltd.insignia.com [195.74.141.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6192443F85 for ; Tue, 24 Jun 2003 09:56:09 -0700 (PDT) (envelope-from subscriber@insignia.com) Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com [172.16.64.11])h5OGu7BH072625 for ; Tue, 24 Jun 2003 17:56:07 +0100 (BST) (envelope-from subscriber@insignia.com) Received: from tomatin (tomatin [172.16.64.128])h5OGtPD0077385 for ; Tue, 24 Jun 2003 17:56:07 +0100 (BST) (envelope-from subscriber@insignia.com) From: Jim Hatfield To: freebsd-security@freebsd.org Date: Tue, 24 Jun 2003 17:55:25 +0100 Organization: Insignia Solutions Message-ID: References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang) Subject: Re: IPFW: combining "divert natd" with "keep-state" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jun 2003 16:56:11 -0000 On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you wrote: > >Attached is the conversation I had with Luigi Rizzo exactly >three years ago on this topic. Maybe it is still helpful. Well it was indeed. The use of skipto was the clue. I didn't go with any of the setups suggested but rolled my own using that idea. Here it is, in use so far for four days with no problems: >#!/bin/sh ># ># rc.firewall for NAT'ing firewall router - dynamic rules version. ># ># JPH -- 20th Jun 2003 Created. ># >fw=3D"/sbin/ipfw -q" ># ># Interface and address definitions ># >eint=3Drl0 # External interface >iint=3Dsis0 # Internal interface >inet=3D"192.168.100.0/24" # Internal net ># ># Clear existing ruleset ># >$fw flush ># ># Transparent proxy: TCP packets to port 80 forwarded to Squid proxy ># >$fw add fwd 127.0.0.1,3128 tcp from $inet to any 80 in via $iint ># ># Internal interface and loopback interface are open ># >$fw add allow ip from any to any via $iint >$fw add allow ip from any to any via lo0 ># ># Packets still being processed are traversing the external interface ># De-NAT incoming packets to get back true destination address and port ># >$fw add divert natd ip from any to any in ># ># Dynamic rules: all outgoing packets create dynamic rules which are = matched ># by both outgoing and incoming. Matching packets skip to rule 10000 ># >$fw add check-state >$fw add skipto 10000 ip from any to any out keep-state ># ># Here we handle unsolicited incoming packets. Allow selected ones in ># and block the rest. Our first reply will create a dynamic rule. ># >$fw add allow tcp from any to any 25 in setup >$fw add allow icmp from any to any in icmptype 0,3,4,11 >$fw add allow udp from any 67 to 255.255.255.255 68 in >$fw add deny log ip from any to any ># ># Packets matched by dynamic rules are tested here. ># Since they have matched a rule they can be passed. ># Outgoing packets still need to be NAT'ed first. ># >$fw add 10000 divert natd ip from $inet to any out >$fw add allow ip from any to any I have a few extras in there that a "pure" router wouldn't need, ie the forwarding of http to a Squid cache and the acceptance of incoming SMTP, plus I have a Linksys DSL modem/bridge which broadcasts DHCPACK packets once a=20 minute so I let them in to avoid polluting the logs. The driver behind this is that I wanted to be able to pass UDP safely so I could then move on to get linuxigd working, so I can use Windows Messenger=20 to have free voice conversations with a friend a few thousand miles away. What a shame that when I finally get round to looking at linuxigd I realise that it is written to use ipf and not ipfw :-((