Date: Thu, 14 Feb 2002 22:25:13 +0100 From: "Rogier R. Mulhuijzen" <drwilco@drwilco.net> To: Michael Sierchio <kudzu@tenebras.com>, Luigi Rizzo <rizzo@icir.org> Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> In-Reply-To: <3C6C2180.3020704@tenebras.com> References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>>the reply was that keep-state and natd are very hard to use
>>together, and besides it is rather useless because natd is stateful
>>by itself.
>natd is stateful, but provides no protection for inbound IP traffic
>that is destined for the filtering host itself.
I have personally looked at natd & stateful ipfw rules, and have concluded
that it logically impossible to get it to work.
Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope
this helps you in making your own rulelist.
tl0 is the interface on internal LAN
lnc0 is the interface on external LAN
--------------------
#divert all http requests from internal network to quid cache
add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0
add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0
add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0
#allow all traffic to/from internal network
add 01000 allow all from any to any via tl0
#translate incoming packets (NAT)
add 30000 divert natd all from any to <internet IP of machine> in via lnc0
#allow incoming packets for hosts on internal network
#(Since we translated them, we're sure they belong to existing
#connection)
add 30110 allow all from any to 172.20.0.0/16 in via lnc0
add 30111 allow all from any to 172.30.0.0/16 in via lnc0
add 30112 allow all from any to 192.168.0.0/24 in via lnc0
#allow SSH from XXXXXXXX
add 30200 allow tcp from <some internet IP> to <internet IP of machine> 22
in via lnc0
add 30210 allow tcp from <internet IP of machine> 22 to <some internet IP>
out via lnc0
#allow DNS queries to UUnet DNS servers
add 30300 allow udp from <DNS1 IP> 53 to <internet IP of machine> in via lnc0
add 30310 allow udp from <internet IP of machine> to <DNS1 IP> 53 out via lnc0
add 30320 allow udp from <DNS2 IP> 53 to <internet IP of machine> in via lnc0
add 30330 allow udp from <internet IP of machine> to <DNS2 IP> 53 out via lnc0
#allow outgoing traffic from internal hosts
#(use skipto 34000 instead of allow because they still need translation)
add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0
add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0
add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0
#allow outgoing connections from local machine (using dynamic rules)
add 32000 allow all from <internet IP of machine> to any out via lnc0
keep-state
#block and log everything that hasn't been allowed so far
add 33000 deny log all from any to any
--------------------
Greets,
Doc
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020214221354.01c37da0>