Date: Wed, 21 Jan 2004 10:09:02 -0600 From: "Micheal Patterson" <micheal@tsgincorporated.com> To: <freebsd-questions@freebsd.org> Subject: Re: ipfw/nated stateful rules example Message-ID: <0f6501c3e038$e3a249c0$4df24243@tsgincorporated.com> References: <MIEPLLIBMLEEABPDBIEGOEHGFFAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "fbsd_user" <fbsd_user@a1poweruser.com> To: "Jonathan Chen" <jonc@chen.org.nz> Cc: "Micheal Patterson" <micheal@tsgincorporated.com>; <freebsd-questions@freebsd.org> Sent: Wednesday, January 21, 2004 7:29 AM Subject: RE: ipfw/nated stateful rules example > You must have missed reading some parts of the thread. The problem > is not whether you just do keep-state on the public side or the > private side, it's with doing keep-state on both sides at the same > time from within ipfw along with using divert statement. If you have multiple lans (which in effect you do in my situation) you state inspect traffic into and out of each network. > The stated problem is > ipfw1 and ipfw2 does not work when keep-state rules are used on an > single interface along with divert/nated. > They do work if divert/nated is not used and user ppp nat is used to > perform the nat function. They also work if NAT is used. That's because keep-state monitors the source of the packet and relies on that. So what you're telling me is that you'd prefer a masqueraded IP to be the source for all of your stateful inspections instead of the true tcp source? And you feel that is more secure than applying stateful to the true source of the traffic prior to network translation? > As far as the question of using keep-state rules on both the private > and public interfaces this is cross population of the single > stateful table and returning packets are being matched to entries in > the stateful table which do not belong to the interface the original > enter was posted from. This is an logic error and invalidates the > function of the purpose of the whole stateful concept. It's not cross population of the stateful table. It's how stateful works with multiple networks. Regardless if you are running NAT or not, if you have 3 /24's behind your firewall, do you expect to secure them all by simply having stateful on the firewall's wan port? What keeps them from infiltrating each other? Don't make the assumption that all are welcome behind the firewall. You treat them as entirely separate networks unless otherwise stated. Now, what's going to happen to your stateful table then? It's going to be so cross populated with traffic from 762 other systems that you'll not see straight. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0f6501c3e038$e3a249c0$4df24243>