Date: Fri, 21 Dec 2001 21:45:23 -0800 From: Luigi Rizzo <rizzo@aciri.org> To: "Earl A. Killian" <earl@killian.com> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state Message-ID: <20011221214523.B21919@iguana.aciri.org> In-Reply-To: <200112220531.fBM5Vui36708@gate.killian.com> References: <200112220531.fBM5Vui36708@gate.killian.com>
next in thread | previous in thread | raw e-mail | index | archive | help
i am under the impression that you probably do not need stateful
rules for natd'ed sessions, because natd is itself stateful
cheers
luigi
On Fri, Dec 21, 2001 at 09:31:56PM -0800, Earl A. Killian wrote:
> I tried a firewall using keep-state and ran into a problem. I am
> looking for suggestions on the best way to fix it. My firewall
> was essentially
>
> <<anti-spoofing rules>>
> divert natd all from any to any via ${oif}
> check-state
> <<filter connection setups with keep-state on the ones allowed>>
>
> The problem is that the firewall is invoked twice, on both
> input and output. A host on the inside initiates a connection by
> sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted
> via one of the filters and a keep-state was done. Next, the kernel
> determines that the packet is destined for outside, so it is run
> through the rules a second time on the way out. This time it is
> diverted to natd which rewrites it to a packet from OIF-IP to
> OUTSIDE-IP. Another dynamic rule is created for this by a susequent
> keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it
> is diverted on input to natd, which rewrites it as OUTSIDE-IP to
> INSIDE-IP. This hits the check-state and is accepted by the first
> dynamic rule created above, and ups the lifetime of the rule to 1000s.
> However, the second dynamic rule created above will eventually time
> out (it has only a 20s lifetime because it never sees the SYN ACK), at
> which point the connection is blocked (further packets from INSIDE-IP
> to OUTSIDE-IP will be dropped on the floor on output).
>
> One way to fix this would be to augment the rules to accept anything
> output from the gateway to the internet:
>
> <<anti-spoofing rules>>
> divert natd all from any to any via ${oif}
> allow all from ${oip} to any out xmit ${oif}
> check-state
> <<filter connection setups with keep-state on the ones allowed>>
>
> This will prevent the need for the second dynamic rule. However, it
> seems to compromise security somewhat since it is fairly permissive,
> and generally one follows the rule that anything not required is
> denied. Is there a better way?
>
> -Earl
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011221214523.B21919>