Date: Wed, 4 Jun 2003 13:40:39 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: Vandyuk Eugene <duke@irpen.kiev.ua> Cc: freebsd-security@freebsd.org Subject: Re: Statefull filtering with IPFW + IPFilter (was: Packet flow through IPFW+IPF+IPNAT) Message-ID: <20030604133021.H24576-100000@cactus.fi.uba.ar> In-Reply-To: <20030604185259.E29212@irpen.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 4 Jun 2003, Vandyuk Eugene wrote:
>
> I have done some tests with IPFW and IPF compiled in kernel and I was
> confused. Packet flow was:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPNAT -> IPF -> IPFW
Yes. from ip_input.c:
iphack:
/*
* Check if we want to allow this packet to be processed.
* Consider it to be bad if not.
*/
if (fr_checkp) {
struct mbuf *m1 = m;
if ((*fr_checkp)(ip, hlen, m->m_pkthdr.rcvif, 0, &m1) || !m1)
return;
ip = mtod(m = m1, struct ip *);
}
if (fw_enable && IPFW_LOADED) {
the first 'if' checks if ipf is loaded, and calls the filter function if it
is. The second one does the same for ipfw
and for outgoing packets, from ip_output.c :
if (fr_checkp) {
struct mbuf *m1 = m;
if ((error = (*fr_checkp)(ip, hlen, ifp, 1, &m1)) || !m1)
goto done;
ip = mtod(m = m1, struct ip *);
}
/*
* Check with the firewall...
* but not if we are already being fwd'd from a firewall.
*/
if (fw_enable && IPFW_LOADED && !args.next_hop) {
Again, ipf gets called before ipfw.
>
> As the result - both outgoing/incoming packets are NAT'ed _before_ IPFW ?!
Yes, if you use ipnat for NAT.
> I think it's wrong and it should be corrected in this way:
>
> OUTGOING: IPF -> IPNAT -> IPFW
> INCOMING: IPFW -> IPNAT -> IPF
There was some discusion some time ago in ipf's mailing list. I don't remember
Darren's position on this.
Fer
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030604133021.H24576-100000>