Date: Fri, 20 Jun 2003 11:40:55 +0100 From: Jim Hatfield <subscriber@insignia.com> To: freebsd-security@freebsd.org Subject: Re: IPFW: combining "divert natd" with "keep-state" Message-ID: <hoo5fv47iqp19rvp253tau6d61f4sdq5br@4ax.com> In-Reply-To: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com> References: <3203DF3DDE57D411AFF4009027B8C367444536@exchange-uk.isltd.insignia.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Jun 2003 12:20:20 +0100, in local.freebsd.security you wrote: >: ipfw -f flush >: ipfw add 100 divert natd ip from any to any via rl0 in >: ipfw add 200 check-state >: ipfw add 300 deny ip from 192.168.0.0/16 to any in via rl0 >: ipfw add 300 deny ip from any to 192.168.0.0/16 in via rl0 >: ipfw add 400 skipto 500 ip from any to any out via rl0 keep-state >: ipfw add 500 divert natd ip from any to any out via rl0 >: ipfw add 600 deny ip from 192.168.0.0/16 to any out via rl0 >: ipfw add 600 deny ip from any to 192.168.0.0/16 out via rl0 >: ipfw add 65000 allow ip from any to any Tricky indeed. I've been playing with the rules suggested by Greg Panula, but I don't really like them for a couple of reasons: - I prefer to keep the internal interface open. I often telnet into the router and keep the session open and inactive for hours, and the dynamic rules time out and kill it. - a rule is created which is never used, ie the outgoing packet starting a conversation creates two rules, only one of which is used in the check-state to match incoming. So I will try out your set. But one question first: do you ever get hits on the second rule 300? I would have thought it very difficult for anyone to route a packet to you with a non-routable destination address. Surely only your ISP could do that? Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?hoo5fv47iqp19rvp253tau6d61f4sdq5br>