Date: Sun, 8 Jul 2001 08:27:33 -0400 (EDT) From: Ralph Huntington <rjh@mohawk.net> To: steve <steve@clublinux.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFilter/IPNat and rdr Message-ID: <Pine.BSF.4.21.0107080817040.28308-100000@mohegan.mohawk.net> In-Reply-To: <3B47EC3A.2734754F@clublinux.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The way ipfilter processes rules, a rule takes effect only if it is not overridden by a subsequent rule, unless the 'quick' keyword is used. If the 'quick' keywork is used, then the rule takes effect immediately and no further rule processing occurs for that packet. So how about something like this: block in on ep0 from any to 192.168.0.0/16 pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 ... The first rule blocks traffic to the 192.168 net coming in through your public interface, but the next rule overrides lets the packet in IF it is bound for port 80 at that partiucular address. You may or may not want the quick keyword in that second rule, depending on whether or not you wish to do any further filtering on those packets bound for your web server. Ralph > pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 > flags S keep state keep frags > > However, because NAT occurs before the filtering, I can no longer have a > rule to prevent packets from the outside that contain a destination IP > on my internal network from passing through my firewall and entering my > internal network like this: > > block in quick on ep0 from any to 192.168.0.0/16 > > I realize that packets with a source or destination of 192.168.0.0/16 > should be dropped by routers on the internet, but I know this doesn't > always happen as our firewall at work has recorded such packets in the > past. > > Am I mis-understanding how IPFilter/IPNat work together correctly? If > so, is there a way around this problem? If not, would the following > provide the protection I'm looking for while still allowing people to > access my web server from the outside? > > pass in quick on ep0 proto tcp from any to 192.168.1.100/32 port = 80 > flags S keep state keep frags > block in quick on ep0 from any to 192.168.0.0/16 > > This would prevent any packet from the outside with a destination > address of my internal network from passing through the firewall unless > it was specifically going to port 80 on my web server right? > > Please CC me on any replies as I'm not currently subscribed to the list. > > Thanks in advance, > Steve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0107080817040.28308-100000>