Date: Sun, 29 Jul 2001 09:18:36 +0100 (BST) From: mikescott@clara.net To: FreeBSD-gnats-submit@freebsd.org Cc: mikescott@clara.net Subject: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw Message-ID: <200107290818.f6T8IaU01684@data.scotts>
next in thread | raw e-mail | index | archive | help
>Number: 29294 >Category: kern >Synopsis: IPFW dynamic rules and NATD interaction has logical design flaw >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jul 29 01:40:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Mike Scott >Release: FreeBSD 4.3-RELEASE i386 >Organization: (self) >Environment: System: FreeBSD data.scotts 4.3-RELEASE FreeBSD 4.3-RELEASE #1: Thu Jul 19 15:20:22 BST 2001 mike@data.scotts:/usr/src/sys/compile/DATA i386 486dx2/66 (!), os as above, with standard ipfw, natd, libraries. >Description: There seems to be a logical error in the way natd is handled in conjunction with the ipfw firewall rules. I've asked on the questions and hackers lists about this, but there's been little response - one person said my config file was wrong, another vaguely remembered a problem of this sort. (1) ipfw rules are handled top down, stop on first match. (2) therefore the NAT diversion must be the first item in the list, or it may never be reached. (3) keep-state and check-state must therefore both follow the NAT diversion. (So no trickery allowed having before-nat and after-nat state checks) (4) keep-state and check-state must work on the same set of addresses, either both internal, or both external. (5) the list of firewall rules is traversed in the same order for incoming and outgoing packets (6) therefore all rules for incoming packets are applied to *local* addresses, all rules for outgoing are applied to *external* addresses. (7) keep-state and check-state are normally applied to packets flowing in opposite directions. (8) Therefore, they are applied inconsistently to incoming and outgoing addresses (keep-state may save an internal address, but check-state will be applied to an external address, and vice versa) >How-To-Repeat: I assume that any ipfw config of the form $fwcmd add divert natd all from any to any via tun0 ... $fwcmd add check-state $fwcmd add deny log tcp from any to any established $fwcmd add allow log tcp from any to any out via tun0 keep-state will exhibit the wrong behaviour. 'ipfw show' will show the dynamic rule(s) with the wrong addresses in >Fix: Assuming I'm right, the "call" to natd doesn't belong in the fw rules. It should always occur just after packets are read in, just before they're written out to the network. Workaround is not to use dynamic rules. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107290818.f6T8IaU01684>