Date: Tue, 2 Jan 2001 15:18:17 -0800 From: Steven Kehlet <kehlet@fisix.com> To: Rene de Vries <freebsd@canyon.demon.nl> Cc: Luigi Rizzo <rizzo@aciri.org>, freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010102151817.F59927@leviathan.techfuel.com> In-Reply-To: <20001220232239.A1012@canyon.demon.nl>; from freebsd@canyon.demon.nl on Wed, Dec 20, 2000 at 11:22:39PM %2B0100 References: <20001220184937.A788@canyon.demon.nl> <200012201757.eBKHvIb77566@iguana.aciri.org> <20001220232239.A1012@canyon.demon.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
[ moved from -hackers to -security ] For whatever it's worth, I struggled with this same problem for an entire day before giving up and using ipfilter. It seems to me that there is a fundamental problem with using the ipfw stateful rules and natd (as I'm sure you discovered yourself): the ordering of translation needs to be reversed upon return, and I couldn't seem to find a way to do that with ipfw. That is, the ordering should be: out: 1. make dynamic rule via keep state 2. translate via natd returning: 3. untranslate via natd 4. validate packet via dynamic rules But there is no way to do this with ipfw because outgoing processing stops at step #1, preventing the packets from reaching the natd rule. Another sensible scenario might be: out: 1. translate via natd 2. make dynamic rule via keep state returning: 3. validate packet via dynamic rules 4. untranslate via natd But now you're screwed the other direction: you can't do steps #3 then #4 on returning because processing stops at #3. I too started getting desperate and tried a number of tricks like having two natd rules (none of which worked, however) :-). Please correct me if my analysis is incorrect! :-) I like the interface of ipfw much better than ipf and would rather use it if possible. Steve On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote: > Date: Wed, 20 Dec 2000 23:22:39 +0100 > From: Rene de Vries <freebsd@canyon.demon.nl> > To: Luigi Rizzo <rizzo@aciri.org> > Cc: freebsd-hackers@FreeBSD.ORG > Subject: Re: statefull packet filter together with natd question > > On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote: > > > Currently I'm trying to move towards a statefull packet filter. When testing > > > without nat all seems to work fine. But when I added natd (as the first > > > rule) packets that were natd-ed on their way out had their return traffic > > > blocked. The question is, what am I doing wrong?!? > > > > nat changes addresses and then reinjects packets in the firewall. > > Chances are that there is no dynamic rule matching the > > packet after the translation. > > This is what I know, the problem is how to nat at the right time. I played > with two natting rules, one for incoming and one for outgoing traffic (to the > same nat process) but I didn't got working. This made me think that there > should be a simple solution to this problem. > > -- > Rene de Vries http://www.tcja.nl mailto:rene@tcja.nl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010102151817.F59927>