Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Feb 2002 10:31:45 -0800
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Joe & Fhe Barbish <barbish@a1poweruser.com>
Cc:        FBSD <freebsd-questions@FreeBSD.ORG>, cvarda@flopnet.com.br, Patrick Soltani <psoltani@ultradns.com>
Subject:   Re: IPFW check-state rules
Message-ID:  <20020217103145.Q48401@blossom.cjclark.org>
In-Reply-To: <LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish@a1poweruser.com>; from barbish@a1poweruser.com on Sun, Feb 17, 2002 at 12:23:59PM -0500
References:  <20020217080858.P48401@blossom.cjclark.org> <LPBBIGIAAKKEOEJOLEGOEENHCHAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, Feb 17, 2002 at 12:23:59PM -0500, Joe & Fhe Barbish wrote:
> Crist you wrote this.
> I am saying it is difficult to get ipfw(8) 'keep-state' to work well
> with natd(8). It may not be worth it for many users. It does not
> provide additional protection.
> 
> 
> You are way out in no where land with that statement. 
> I have read you stating in other posts that keep-stated provides 
> much better security. And if keep-state did not provide better firewall 
> security then why would somebody take the time to write it? 

'keep-state' provides much better protection than a stateless packet
filter, no doubt about it. But combining NAT and a stateless firewall
makes a stateful packet filter. However, I feel that that is abusing
NAT. NAT is not a security feature. NAT is something you do to
increase your IP address space. I don't like the fact that
'keep-state' and natd(8) do not work well together. There are quite a
few things that I don't like about 'keep-state.' That's one of the
main reasons I don't use it much anymore. I use IPFilter (but it has
its limits too).

> Well I killed natd and user ppp and restarted user ppp with -nat flag 
> and now the rules in the outbound section of my rules set as posted 
> here early, minis the divert rule are functioning.  The correct answer to 
> my original question was to get rid of natd from the ipfw rules set and 
> use the user ppp nat function.

I didn't know you were using ppp(8).
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020217103145.Q48401>