Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 21 Jan 2004 00:07:39 -0600
From:      "Micheal Patterson" <micheal@tsgincorporated.com>
To:        <freebsd-questions@freebsd.org>
Subject:   Re: ipfw/nated stateful rules example
Message-ID:  <034301c3dfe4$e336c1e0$0201a8c0@dredster>
References:  <MIEPLLIBMLEEABPDBIEGIEGCFFAA.fbsd_user@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help

----- Original Message ----- 
From: "fbsd_user" <fbsd_user@a1poweruser.com>
To: "Micheal Patterson" <micheal@tsgincorporated.com>;
<freebsd-questions@freebsd.org>
Sent: Tuesday, January 20, 2004 8:18 PM
Subject: RE: ipfw/nated stateful rules example


> You are doing keep-state on both the Lan interface and the public
> interface and it only works because the returning public packet is
> being matched to stateful table entries posted by the Lan interface
> keep-state rules and not the stateful table entries posted by the
> external interface. Yes you are making it work, but not work
> correctly. In the true security sense, this is un-secure and
> invalidates the whole purpose of using keep-state rules at all. This
> would never be allowed by an real firewall security professional.
>
> If you fell secure in using this method, be my guest. But know it's
> not really providing you protection for packets inserted by an
> attacker.  It nullifies the benefits of keep state on the interface
> facing the public internet.

It's working because my fbsd box is in router mode and I don't want people
to communicate with it's serial ip unless I request it. That's why there are
two stateful entries. One to protect the serial and one to protect my lan.
NAT sits happily in the middle.

Let's take this to a more real world scenario though.

You have the following:

Cisco 3745 connected to a Sprint ATM circuit.
Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side.
Cisco LAN: 10.0.0.1/30
Firewall WAN: 10.0.0.2/30
Firewall LAN: 64.1.1.1

The above is a generic dmz setup. Since this is on Sprint, the routers
serial IP is not accessible either unless you specifically request it via
their NOC so they can remove their default filters. I'm assuming that we're
in agreement here. In this scenario, where would you put stateful? On the
LAN side.

Now, assume that this is a nat'd network with 128 IP's and you've got 200+
systems behind it.

Cisco 2620 connected to Sprint DS1:
Serial IP's: 62.121.1.2 Your side / 62.121.1.1 Sprint side
Cisco LAN: 64.1.1.1
Firewall WAN  w/NAT: 64.1.1.2
Firewall LAN: 192.168.1.0/24

In this scenario, you have NAT running on the firewall and doing the
translations for the internal range. NAT sits on your WAN interface and does
it's merry little thing.

If I understand you correctly, you're saying that "Private > NAT > WAN
Keep-State > World" is the accepted manner of a network security
professional and is secure.

Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure
and would not be accepted by a security professional?  How do you figure
that either method is more or less secure than the other? If stateful is
breached in either method, the underlying network is compromised. Sorry,
it's late and I may be missing something but I just don't see it.

--

Micheal Patterson
Network Administration
TSG Incorporated
405-917-0600




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?034301c3dfe4$e336c1e0$0201a8c0>