From owner-freebsd-questions@FreeBSD.ORG Wed Jun 9 07:15:36 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C5E416A4CE for ; Wed, 9 Jun 2004 07:15:36 +0000 (GMT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70D0E43D5C for ; Wed, 9 Jun 2004 07:15:34 +0000 (GMT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i597CZo3083325 for ; Wed, 9 Jun 2004 09:12:35 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i597CYdn083307; Wed, 9 Jun 2004 09:12:34 +0200 (CEST) (envelope-from tw@wsf.at) Date: Wed, 9 Jun 2004 07:12:34 -0000 To: Barbish3@adelphia.net, freebsd-ipfw@freebsd.org, tw@wsf.at From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040609091234.fsoyaxik9m8sco@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 07:15:36 -0000 JJB schrieb: > Thanks for your example. I have finally had time to study it > and I see the flaw in it. > > The example works fine for creating the entry in the dynamic table > for setup of keep-state inbound and outbound session start requests. > It even handles inbound packets that are part of an established > session > conversations, But for established outbound session conversations > the check-state rule releases the packet before it has been nated. No. 'check-state' does not unconditionally release a packet but performs the 'action'-part of the rule that installed the dynamic rule - in our case 'skipto 10000' where it gets nat'ed. > There lies in the flaw. > > Do you have any suggestions on how to correct this? Have you tried the script and it really failed? I just double-checked and it works fine on my system. Thomas > > > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org > [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf > Sent: Thursday, June 03, 2004 3:00 AM > To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org > Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ > keep-state? > > > JJB schrieb: > > > Where do you get off calling my questioning of Luigi Rizzo's > answer > > as an attack. > > I have heard that party line statement all to often over that last > 4 > > years, with no backup proof. That party line canned answer may be > > sufficient for the original thread poster who has not invested the > > time yet to come to the realization that it doe's not work. > > My post to the tread was meant to bring this problem out so the > > experts can look into it and take corrective actions. > > This should work although some features are missing > (loopback, anti-spoofing, identd..): > > #!/bin/sh > log="log" > cmd="ipfw add" > allow="skipto 10000" > oif=rl0 > good_tcp="22,25,53,80,443,110" > good_udp="53" > good_icmp="icmptypes 0,3,8,11,12" > ipfw -f flush > > $cmd 100 divert natd ip from any to any in via $oif > $cmd 105 check-state > $cmd 110 $allow icmp from any to any $good_icmp > $cmd 120 $allow udp from any to any $good_udp out keep-state > $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state > $cmd 140 deny $log ip from any to any > $cmd 10000 divert natd ip from any to any out via $oif > $cmd 10010 allow ip from any to any > $cmd 10020 deny ip from any to any > > > Thomas > > -- > Thomas Wolf > Wiener Software Fabrik > Dubas u. Wolf GMBH > 1050 Wien, Mittersteig 4 > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4