Date: Tue, 25 Jan 2000 12:10:00 -0500 (EST) From: Jim Flowers <jflowers@ezo.net> To: freebsd-security@freebsd.org Subject: Skip, Natd, Ipfw, and VPN Nomads (long) Message-ID: <Pine.BSI.3.91.1000123203002.10162A-100000@lily.ezo.net>
next in thread | raw e-mail | index | archive | help
Skip and natd can be combined in a single FreeBSD box using ipfw rules to
control packet flow to natd in useful ways. Internal users can browse
the Internet or access resources on multiple remote VPN segments.
External clients can access internal servers through natd port redirects.
Adding nomad capability complicates the setup and two FreeBSD boxes are
required. A nomad is a client from anywhere on the Internet with an
ephimeral IP# that is not known in advance. When packets from the nomad
are first processed by skip the client is validated from its KeyID.
The corresponding IP# is entered in the access control list.
Unfortunately, it is not possible to use ipfw rules to differentiate between
response packets outbound to the nomad and internal client query packets
outbound to Internet servers.
This is singularly important when the nomad is a Windows based host that
is to join an internal NT domain. The logon server response packets must
bypass natd or the logon attempt will fail with a "failed to find
logon server" error report. Packets from internal clients browsing the
Internet, on the other hand, must go through natd to obtain a routable
return address.
The skip procedure provides for such a differentiation as it maintains a
table of all nomad IP numbers and will process those that match, passing on
those that do not. The skip procedure, however, follows natd in the
outbound direction so it is not sufficient for this duty. Thus the need for
two boxes, the inner box configured with skip - the outer box configured
with natd. Fortunately, skip packets will pass through the natd process
without alteration in both directions in the outer box.
For our wireless Internet connections, that is not a burden as the wi0
interface driver is not compatable with the skip procedure and a
second box is necessary on that account alone.
One added refinement. Once a Windows nomad is logged on to an NT domain,
it can use network neighborhood to browse hosts on the local network
segment. In order for the same capability to exist for remote network
segments, the decoded inbound packets must be 'educated' before
forwarding to the target host so that responses return to the skiphost
that was used to validate the nomad.
One way to do this is to use inbound natd so that the decoded
packets have the source address changed to that of the skiphost before
forwarding to the target host. In fact, I prefer this method when the
skiphost is located on a perimeter network acting as a VPN bypass around
the inside firewall interface (for secure packets only).
For systems relying on natd for security, I use the more traditional natd
approach (outbound interface) on the skiphost with specific ipfw
rules to divert only those packets destined for a remote VPN network
segment that both arrive and leave on the same interface.
A diagram will help to make the above concepts clearer.
========================Internet
|
[wi0] |
ipfw - divert(any) -> natd(wi0) | Gw/Nat
route |
ipfw |
[ed1] |
|
===============intermediate network
|
[ed1] |
ipfw - divert(remote only) ->natd(ed1) | VAC/Nomads
skip |
route |
ipfw |
[ed2] |
|
|
=================private network
|
|
[PDC]
route indicates kernel routing table
PDC indicates primary domain controller for NT network.
Gw/Nat - gateway/nat
VAC/Nomads - VPN access controller / Nomad Server
ACL - access control list
natd/skip notes
1. for Gw/Nat, skip packets will pass through natd unchanged in both
directions.
2. for VAC/Nomads, inbound skip packets will pass through natd
unchanged to be unpacked by skip and forwarded as determined by route.
3. Packets received on the ed1 interface, directed to remote networks will
be processed by skip in accordance with the destination ACL.
4. Packets generated by internal clients browsing the Internet will be
passed up by skip (no acl match) to Gw/Nat for processing by natd (divert
match any/any)
Skip, natd and ipfw all operate reliably, consistently and repeatably
once the relationships are understood and exploited properly.
Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.91.1000123203002.10162A-100000>