Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Jun 2004 07:12:34 -0000
From:      Thomas Wolf <tw@wsf.at>
To:        Barbish3@adelphia.net, freebsd-ipfw@freebsd.org, tw@wsf.at
Cc:        "freebsd-questions@FreeBSD. ORG" <freebsd-questions@freebsd.org>
Subject:   RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Message-ID:  <20040609091234.fsoyaxik9m8sco@.mailhost.wsf.at>

next in thread | raw e-mail | index | archive | help

JJB <Barbish3@adelphia.net> schrieb:

> Thanks for your example. I have finally had time to study it
> and I see the flaw in it.
> 
> The example works fine for creating the entry in the dynamic table
> for setup of keep-state inbound and outbound session start requests.
> It even handles inbound packets that are part of an established
> session
> conversations, But for established outbound session conversations
> the check-state rule releases the packet before it has been nated.

No. 'check-state' does not unconditionally release a packet but
performs the 'action'-part of the rule that installed the dynamic
rule - in our case 'skipto 10000' where it gets nat'ed.

> There lies in the flaw.
> 
> Do you have any suggestions on how to correct this?

Have you tried the script and it really failed? 
I just double-checked and it works fine on my system.

Thomas

 
> 
> 
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org
> [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf
> Sent: Thursday, June 03, 2004 3:00 AM
> To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org
> Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/
> keep-state?
> 
> 
> JJB <Barbish3@adelphia.net> schrieb:
> 
> > Where do you get off calling my questioning of Luigi Rizzo's
> answer
> > as an attack.
> > I have heard that party line statement all to often over that last
> 4
> > years, with no backup proof. That party line canned answer may be
> > sufficient for the original thread poster who has not invested the
> > time yet to come to the realization that it doe's not work.
> > My post to the tread was meant to bring this problem out so the
> > experts can look into it and take corrective actions.
> 
> This should work although some features are missing
> (loopback, anti-spoofing, identd..):
> 
> #!/bin/sh
> log="log"
> cmd="ipfw add"
> allow="skipto 10000"
> oif=rl0
> good_tcp="22,25,53,80,443,110"
> good_udp="53"
> good_icmp="icmptypes 0,3,8,11,12"
> ipfw -f flush
> 
> $cmd 100 divert natd ip from any to any in via $oif
> $cmd 105 check-state
> $cmd 110 $allow icmp from any to any $good_icmp
> $cmd 120 $allow udp from any to any $good_udp out keep-state
> $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state
> $cmd 140 deny $log ip from any to any
> $cmd 10000 divert natd ip from any to any out via $oif
> $cmd 10010 allow ip from any to any
> $cmd 10020 deny ip from any to any
> 
> 
> Thomas
> 
> --
> Thomas Wolf
> Wiener Software Fabrik
> Dubas u. Wolf GMBH
> 1050 Wien, Mittersteig 4
> 
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to
> "freebsd-ipfw-unsubscribe@freebsd.org"
> 
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
>

--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040609091234.fsoyaxik9m8sco>