From owner-freebsd-security Tue Jan 2 15:18:37 2001 From owner-freebsd-security@FreeBSD.ORG Tue Jan 2 15:18:32 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from pooka.techfuel.com (pooka.techfuel.com [216.133.15.161]) by hub.freebsd.org (Postfix) with ESMTP id CD6E837B400 for ; Tue, 2 Jan 2001 15:18:32 -0800 (PST) Received: from basilisk.techfuel.com (mail-internal.techfuel.com [172.16.1.2]) by pooka.techfuel.com (8.9.3/8.9.3) with ESMTP id PAA37848; Tue, 2 Jan 2001 15:18:19 -0800 (PST) (envelope-from kehlet@fisix.com) Received: (from root@localhost) by basilisk.techfuel.com (8.9.3/8.9.3) id PAA78218; Tue, 2 Jan 2001 15:18:19 -0800 (PST) Received: from leviathan.techfuel.com (leviathan.techfuel.com [172.16.1.26]) by basilisk.techfuel.com (8.9.3/8.9.3) with ESMTP id PAA78156; Tue, 2 Jan 2001 15:18:18 -0800 (PST) Received: (from kehlet@localhost) by leviathan.techfuel.com (8.11.1/8.11.0) id f02NIH963265; Tue, 2 Jan 2001 15:18:17 -0800 (PST) (envelope-from kehlet@fisix.com) X-Authentication-Warning: leviathan.techfuel.com: kehlet set sender to kehlet@fisix.com using -f Date: Tue, 2 Jan 2001 15:18:17 -0800 From: Steven Kehlet To: Rene de Vries Cc: Luigi Rizzo , freebsd-security@freebsd.org Subject: Re: statefull packet filter together with natd question Message-ID: <20010102151817.F59927@leviathan.techfuel.com> References: <20001220184937.A788@canyon.demon.nl> <200012201757.eBKHvIb77566@iguana.aciri.org> <20001220232239.A1012@canyon.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001220232239.A1012@canyon.demon.nl>; from freebsd@canyon.demon.nl on Wed, Dec 20, 2000 at 11:22:39PM +0100 X-scanner: scanned by Inflex 0.1.4 - (http://www.spyda.co.za/inflex) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [ moved from -hackers to -security ] For whatever it's worth, I struggled with this same problem for an entire day before giving up and using ipfilter. It seems to me that there is a fundamental problem with using the ipfw stateful rules and natd (as I'm sure you discovered yourself): the ordering of translation needs to be reversed upon return, and I couldn't seem to find a way to do that with ipfw. That is, the ordering should be: out: 1. make dynamic rule via keep state 2. translate via natd returning: 3. untranslate via natd 4. validate packet via dynamic rules But there is no way to do this with ipfw because outgoing processing stops at step #1, preventing the packets from reaching the natd rule. Another sensible scenario might be: out: 1. translate via natd 2. make dynamic rule via keep state returning: 3. validate packet via dynamic rules 4. untranslate via natd But now you're screwed the other direction: you can't do steps #3 then #4 on returning because processing stops at #3. I too started getting desperate and tried a number of tricks like having two natd rules (none of which worked, however) :-). Please correct me if my analysis is incorrect! :-) I like the interface of ipfw much better than ipf and would rather use it if possible. Steve On Wed, Dec 20, 2000 at 11:22:39PM +0100, Rene de Vries wrote: > Date: Wed, 20 Dec 2000 23:22:39 +0100 > From: Rene de Vries > To: Luigi Rizzo > Cc: freebsd-hackers@FreeBSD.ORG > Subject: Re: statefull packet filter together with natd question > > On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote: > > > Currently I'm trying to move towards a statefull packet filter. When testing > > > without nat all seems to work fine. But when I added natd (as the first > > > rule) packets that were natd-ed on their way out had their return traffic > > > blocked. The question is, what am I doing wrong?!? > > > > nat changes addresses and then reinjects packets in the firewall. > > Chances are that there is no dynamic rule matching the > > packet after the translation. > > This is what I know, the problem is how to nat at the right time. I played > with two natting rules, one for incoming and one for outgoing traffic (to the > same nat process) but I didn't got working. This made me think that there > should be a simple solution to this problem. > > -- > Rene de Vries http://www.tcja.nl mailto:rene@tcja.nl > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message