From owner-freebsd-ipfw Fri Dec 21 21:45:56 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.aciri.org (iguana.aciri.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id AFA9237B416 for ; Fri, 21 Dec 2001 21:45:52 -0800 (PST) Received: (from rizzo@localhost) by iguana.aciri.org (8.11.3/8.11.1) id fBM5jNJ22029; Fri, 21 Dec 2001 21:45:23 -0800 (PST) (envelope-from rizzo) Date: Fri, 21 Dec 2001 21:45:23 -0800 From: Luigi Rizzo To: "Earl A. Killian" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: keep-state Message-ID: <20011221214523.B21919@iguana.aciri.org> References: <200112220531.fBM5Vui36708@gate.killian.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112220531.fBM5Vui36708@gate.killian.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG i am under the impression that you probably do not need stateful rules for natd'ed sessions, because natd is itself stateful cheers luigi On Fri, Dec 21, 2001 at 09:31:56PM -0800, Earl A. Killian wrote: > I tried a firewall using keep-state and ran into a problem. I am > looking for suggestions on the best way to fix it. My firewall > was essentially > > <> > divert natd all from any to any via ${oif} > check-state > <> > > The problem is that the firewall is invoked twice, on both > input and output. A host on the inside initiates a connection by > sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted > via one of the filters and a keep-state was done. Next, the kernel > determines that the packet is destined for outside, so it is run > through the rules a second time on the way out. This time it is > diverted to natd which rewrites it to a packet from OIF-IP to > OUTSIDE-IP. Another dynamic rule is created for this by a susequent > keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it > is diverted on input to natd, which rewrites it as OUTSIDE-IP to > INSIDE-IP. This hits the check-state and is accepted by the first > dynamic rule created above, and ups the lifetime of the rule to 1000s. > However, the second dynamic rule created above will eventually time > out (it has only a 20s lifetime because it never sees the SYN ACK), at > which point the connection is blocked (further packets from INSIDE-IP > to OUTSIDE-IP will be dropped on the floor on output). > > One way to fix this would be to augment the rules to accept anything > output from the gateway to the internet: > > <> > divert natd all from any to any via ${oif} > allow all from ${oip} to any out xmit ${oif} > check-state > <> > > This will prevent the need for the second dynamic rule. However, it > seems to compromise security somewhat since it is fairly permissive, > and generally one follows the rule that anything not required is > denied. Is there a better way? > > -Earl > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message