From owner-freebsd-ipfw Sun May 27 18:46:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id 09FD437B422 for ; Sun, 27 May 2001 18:46:27 -0700 (PDT) (envelope-from earl@killian.com) Received: (from smtp@localhost) by gate.killian.com (8.11.1/8.11.1) id f4S1kQ982534 for ; Sun, 27 May 2001 18:46:26 -0700 (PDT) (envelope-from earl@killian.com) Received: from oboe-w.killian.com(199.165.155.21), claiming to be "oboew.hq.tensilica.com" via SMTP by gate.killian.com, id smtpdE82072; Mon May 28 01:46:16 2001 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15121.44514.950000.542481@oboew.hq.tensilica.com> Date: Sun, 27 May 2001 18:46:10 -0700 To: freebsd-ipfw@freebsd.org Subject: keep-state questions X-Mailer: VM 6.92 under 21.4 (patch 0) "Solid Vapor" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I had an ipfw firewall that was working fine without using state (e.g. based on /etc/rc.firewall). I decided to "upgrade" to using check-state/keep-state to avoid the potential problems of static rules. I did not find any documentation, howtos, etc. on how to do this. I simply did what I considered the obvious thing, but it did not work right. Although I have analyzed the problem and understand it, I am curious if anyone has any examples of the best way to do this. The fix I come up with may not be as optimal as community wisdom has invented. My non-working first attempt boiled down to <> divert natd all from any to any via ${oif} check-state <> The basic problem is that the firewall is invoked twice, on both input and output. A host on the inside initiates a connection by sending a SYN packet from INSIDE-IP to OUTSIDE-IP. This was accepted via one of the filters and a keep-state was done. Next, the kernel determines that the packet is destined for outside, so it is run through the rules a second time on the way out. This time it is diverted to natd which rewrites it to a packet from OIF-IP to OUTSIDE-IP. Another dynamic rule is created for this by a susequent keep-state. When the SYN ACK comes back from OUTSIDE-IP to GATE, it is diverted on input to natd, which rewrites it as OUTSIDE-IP to INSIDE-IP. This hits the check-state and is accepted by the first dynamic rule created above, and ups the lifetime of the rule to 1000s. However, the second dynamic rule created above will eventually time out (it has only a 20s lifetime because it never sees the SYN ACK), at which point the connection is blocked (further packets from INSIDE-IP to OUTSIDE-IP will be dropped on the floor on output). One way to fix this would be to augment the rules to accept anything output from the gateway to the internet: <> divert natd all from any to any via ${oif} allow all from ${oip} to any out xmit ${oif} check-state <> This will prevent the need for the second dynamic rule. However, it seems to compromise security somewhat since it is fairly permissive, and generally one follows the rule that anything not required is denied. Comments? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon May 28 3:40:42 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 29AB437B423; Mon, 28 May 2001 03:40:24 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.2/8.11.2) id f4SAeKD25730; Mon, 28 May 2001 13:40:20 +0300 (EEST) (envelope-from ru) Date: Mon, 28 May 2001 13:40:20 +0300 From: Ruslan Ermilov To: Matt Dillon Cc: doc@FreeBSD.org, ipfw@FreeBSD.org Subject: Re: cvs commit: src/share/man/man7 firewall.7 tuning.7 Makefile Message-ID: <20010528134020.A6209@sunbay.com> Mail-Followup-To: Matt Dillon , doc@FreeBSD.org, ipfw@FreeBSD.org References: <200105272314.f4RNERG18768@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105272314.f4RNERG18768@freefall.freebsd.org>; from dillon@FreeBSD.org on Sun, May 27, 2001 at 04:14:27PM -0700 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Redirected to -doc and -ipfw] On Sun, May 27, 2001 at 04:14:27PM -0700, Matt Dillon wrote: > dillon 2001/05/27 16:14:27 PDT > > Modified files: > share/man/man7 Makefile > Added files: > share/man/man7 firewall.7 tuning.7 > Log: > Add two new manual pages related to general firewall and tuning issues > > Reviewed by: hackers > > Revision Changes Path > 1.15 +2 -2 src/share/man/man7/Makefile > Sorry, I somehow missed your review request on -hackers, and didn't see it on the -ipfw list as well. First, please sort the MAN= entries in Makefile as they were before. I am somewhat confused as to why you have chosen to add the new firewall(7) manpage rather than to extend the existing manpages? IMHO this only creates unnecessary bloat. For example, the `IPFW KERNEL CONFIGURATION' section is an (almost) duplicate of the `Kernel Options' in ipfirewall(4) (the latter is seriously outdated), and it is now required to keep both in sync. The rest of the firewall(7) manpage fits nicely into the existing ipfw(8) manpage. More on makrup later... Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed May 30 15:35:53 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from web10003.mail.yahoo.com (web10003.mail.yahoo.com [216.136.130.39]) by hub.freebsd.org (Postfix) with SMTP id D606F37B422 for ; Wed, 30 May 2001 15:35:51 -0700 (PDT) (envelope-from aculver@yahoo.com) Message-ID: <20010530223551.8399.qmail@web10003.mail.yahoo.com> Received: from [209.51.12.14] by web10003.mail.yahoo.com; Wed, 30 May 2001 15:35:51 PDT Date: Wed, 30 May 2001 15:35:51 -0700 (PDT) From: Alex Culver Subject: i'm new at this..... To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-863300210-991262151=:6289" Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --0-863300210-991262151=:6289 Content-Type: text/plain; charset=us-ascii i've got 2 interfaces in my machine(one for the inside and one for the outside)....from the regular /stand/sysinstall program, do i need to put a gateway address in the config of either of my enet interfaces before i begin to configure ipfw(recompile kernel and all that)? __________________________________ Alex Culver aculver@yahoo.com --------------------------------- Do You Yahoo!? Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail. --0-863300210-991262151=:6289 Content-Type: text/html; charset=us-ascii

i've got 2 interfaces in my machine(one for the inside and one for the outside)....from the regular /stand/sysinstall program, do i need to put a gateway address in the config of either of my enet interfaces before i begin to configure ipfw(recompile kernel and all that)?





__________________________________
Alex Culver
aculver@yahoo.com


Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail. --0-863300210-991262151=:6289-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu May 31 6:29:30 2001 Delivered-To: freebsd-ipfw@freebsd.org Received: from imf11bis.bellsouth.net (mail311.mail.bellsouth.net [205.152.58.171]) by hub.freebsd.org (Postfix) with ESMTP id 81FD037B423 for ; Thu, 31 May 2001 06:29:27 -0700 (PDT) (envelope-from brownicm@prokyon.com) Received: from prokyon.com ([208.61.148.210]) by imf11bis.bellsouth.net (InterMail vM.5.01.01.01 201-252-104) with ESMTP id <20010531133013.WTTQ19887.imf11bis.bellsouth.net@prokyon.com>; Thu, 31 May 2001 09:30:13 -0400 Message-ID: <3B1644A0.41DF397D@prokyon.com> Date: Thu, 31 May 2001 09:18:24 -0400 From: Chris Browning X-Mailer: Mozilla 4.77 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Alex Culver Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: i'm new at this..... References: <20010530223551.8399.qmail@web10003.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG /stand/sysinstall is not going to be much help. You need to edit /etc/rc.conf and set defaultrouter=[upstream_router] to set your gateway on the firewall. The machines on your LAN will use the inside interface of the firewall as their gateway. I need a little more information. Is this machine already connected to the Internet? If so, defaultrouter is already set; if not, I would work on that side (outside interface) first. Alex Culver wrote: > > i've got 2 interfaces in my machine(one for the inside and > one for the outside)....from the regular /stand/sysinstall > program, do i need to put a gateway address in the config > of either of my enet interfaces before i begin to > configure ipfw(recompile kernel and all that)? > -- ----------------------------- Chris Browning brownicm@prokyon.com ----------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message