Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Dec 2001 21:45:23 -0800
From:      Luigi Rizzo <rizzo@aciri.org>
To:        "Earl A. Killian" <earl@killian.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: keep-state
Message-ID:  <20011221214523.B21919@iguana.aciri.org>
In-Reply-To: <200112220531.fBM5Vui36708@gate.killian.com>
References:  <200112220531.fBM5Vui36708@gate.killian.com>

next in thread | previous in thread | raw e-mail | index | archive | help
i am under the impression that you probably do not need stateful
rules for natd'ed sessions, because natd is itself stateful

	cheers
	luigi

On Fri, Dec 21, 2001 at 09:31:56PM -0800, Earl A. Killian wrote:
> I tried a firewall using keep-state and ran into a problem.  I am
> looking for suggestions on the best way to fix it.  My firewall
> was essentially
> 
>   <<anti-spoofing rules>>
>   divert natd all from any to any via ${oif}
>   check-state
>   <<filter connection setups with keep-state on the ones allowed>>
> 
> The problem is that the firewall is invoked twice, on both
> input and output.  A host on the inside initiates a connection by
> sending a SYN packet from INSIDE-IP to OUTSIDE-IP.  This was accepted
> via one of the filters and a keep-state was done.  Next, the kernel
> determines that the packet is destined for outside, so it is run
> through the rules a second time on the way out.  This time it is
> diverted to natd which rewrites it to a packet from OIF-IP to
> OUTSIDE-IP.  Another dynamic rule is created for this by a susequent
> keep-state.  When the SYN ACK comes back from OUTSIDE-IP to GATE, it
> is diverted on input to natd, which rewrites it as OUTSIDE-IP to
> INSIDE-IP.  This hits the check-state and is accepted by the first
> dynamic rule created above, and ups the lifetime of the rule to 1000s.
> However, the second dynamic rule created above will eventually time
> out (it has only a 20s lifetime because it never sees the SYN ACK), at
> which point the connection is blocked (further packets from INSIDE-IP
> to OUTSIDE-IP will be dropped on the floor on output).
> 
> One way to fix this would be to augment the rules to accept anything
> output from the gateway to the internet:
> 
>   <<anti-spoofing rules>>
>   divert natd all from any to any via ${oif}
>   allow all from ${oip} to any out xmit ${oif}
>   check-state
>   <<filter connection setups with keep-state on the ones allowed>>
> 
> This will prevent the need for the second dynamic rule.  However, it
> seems to compromise security somewhat since it is fairly permissive,
> and generally one follows the rule that anything not required is
> denied.  Is there a better way?
> 
> -Earl
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011221214523.B21919>