From owner-freebsd-ipfw Mon Jul 29 6:47:18 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1110B37B401 for ; Mon, 29 Jul 2002 06:47:12 -0700 (PDT) Received: from relay01.esat.net (relay01.esat.net [192.111.39.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 684FF43E42 for ; Mon, 29 Jul 2002 06:47:10 -0700 (PDT) (envelope-from phil@ipac.ie) Received: from ipac-gw.cr001.ddm.esat.net (mail.rfc-networks.ie) [193.95.188.30] by relay01.esat.net with esmtp id 17ZArd-000248-00; Mon, 29 Jul 2002 14:47:09 +0100 Received: from tear.domain (unknown [10.0.1.254]) by mail.rfc-networks.ie (Postfix) with ESMTP id 628FB54830 for ; Mon, 29 Jul 2002 13:51:14 +0100 (IST) Received: by tear.domain (Postfix, from userid 1000) id F3C772113F; Mon, 29 Jul 2002 14:47:58 +0000 (GMT) Date: Mon, 29 Jul 2002 14:47:58 +0000 From: Philip Reynolds To: freebsd-ipfw@freebsd.org Subject: 4.6-RELEASE / NATD + IPFW + keep-state Message-ID: <20020729144758.A11849@rfc-networks.ie> Reply-To: philip.reynolds@rfc-networks.ie Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Operating-System: FreeBSD 4.6-RC X-URL: http://www.rfc-networks.ie Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, I'm having a few problems with using natd and ipfw. Originally, I was having serious serious problems trying to get stateful firewalling working with NAT. Currently my setup is the following: Public Interface: xl0 Interface address: 10.0.0.1 Subnet mask: 255.255.255.0 Private interface: xl1 Interface Address: 10.0.1.1 Subnet mask: 255.255.255.0 I am doing NAT on anything going out through xl0 from 10.0.1.0/24. However, I want a default DENY policy, with a few stateful rules to allow ssh, http-proxy and smtp (just common examples, I have plenty more contrived wishes once this is up and working). divert 8668 ip from any to any check-state allow ip from 10.0.1.0/24 to 10.0.1.0/24 via xl1 allow tcp from any to not 10.0.1.0/24 22 keep-state setup deny ip from any to any After quite a lot of painful testing, I came up with the above rules. 1. NAT everything going through xl0 (this can be refined later) 2. check the state of the packet. 3. allow stuff through on in inside interface, from a machine on the inside network to another machine on the inside network. 4. allow a setup packet (SYN but no ACK) from machine on inside network to a machine on the outside network (to a port of 22), and keep it's state. 5. Deny everything else This works, but not the way it should, as I'll explain below. Once a connection is made to the machine, ``ipfw -d list'' brings up the following in it's dynamic ruleset. 00100 11 726 (T 19, slot 137) <-> tcp, 10.0.0.56 3245<-> 10.0.0.10 22 00100 33 3958 (T 299, slot 179) <-> tcp, 10.0.1.2 3245<-> 10.0.0.10 22 There are two connections showing and the first is actually a SYN packet, while the second is an ACK. How it's obvious (at least to me) is the value beside the T (i.e. the timeout value). The first, counts down from 20, the second from 300 (the default values of net.inet.ip.fw.dyn_syn_lifetime and net.inet.ip.fw.dyn_ack_lifetime respectively) Basically, in ssh-like connections, this means pumping up net.inet.ip.fw.dyn_ack_lifetime _AND_ net.inet.ip.fw.dyn_syn_lifetime, which I'm a little wary of. Is what's happening OK? Is there a different way I could order/write the ruleset to have some "normal" stateful connections. i.e. Packet comes in on inside interface. Packet matches access rule with keep-state option and gets added to dynamic ruleset Packet NAT'd Packet comes in on outside interface Packet gets NAT'd Packet matches check-state rule If anyone has any light to shed on the subject I would be very grateful. I've spent the last 2 hours or so digging up material (there's not a whole lot) on ipfw/nat/stateful firewalling, searching the archives etc. but nothing that will explain the above behaviour or give me a working alternative. Regards, -- Philip Reynolds | Technical Director philip.reynolds@rfc-networks.ie | RFC Networks Ltd. http://www.rfc-networks.ie | +353 (0)1 8832063 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message