Date: Tue, 07 Aug 2001 12:13:09 -0500 From: "Douglas G. Allen" <dallen@roe35.lth2.k12.il.us> To: "Max Clements" <max.clements@swistgroup.com> Cc: freebsd-security@freebsd.org Subject: RE: ipfw question Message-ID: <200108071213090935.01249DF0@mail.roe35.lth2.k12.il.us> In-Reply-To: <DEC925D2FB9081448C3D6EC26E85868C02D44E@steinmail.swistgroup.com> References: <DEC925D2FB9081448C3D6EC26E85868C02D44E@steinmail.swistgroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Max, >I am assuming you mean on both interfaces, on my machine i use aliases as >well with the port-redirect statement to natd, and I set the IPFW rules up >using the via rl0 (my external) interface format. I want to use ipfw to filter on both the true interface (fxp0) and the= alias. I'm not using NAT at all. I'm using public addresses. >I must confess, I have battled with the same problem - and I have not= managed >to get the functioning of IPFW and NATD clear in my head, what I do know= is >that IPFW uses divert(4) sockets to divert all ip traffic to NATD *before*= it >processes any rules. This means that all ipfw rules that you use in your >firewall should refer to the translated addresses and not the public >addresses, as natd rewrites the packets after the divert and then hands= them >back to ipfw at the rule number following the divert rule. To illustrate= my >point , here are thefirst few rules from my firewall > >[46] root@mufasa:/usr/local# ipfw list >00050 divert 8668 ip from any to any via rl0 >00100 allow ip from any to any via lo0 >00200 deny ip from any to 127.0.0.0/8 >00300 deny ip from 127.0.0.0/8 to any >00400 deny log logamount 100 ip from 172.16.0.10 to any via rl0 >00500 deny log logamount 100 ip from 192.168.0.0/16 to any via rl0 If I were using natd, I understand that I have to use the translated= addresses. Maybe I do need to look at the alias as a translation and use= the via fxp0 in the rules. I haven't done so up to this point, because I= hoped to have a set of rules with two real interfaces. That got changed= to two IP's on one interface. At any rate, it's given me something else= to think about and try. >NATD hands packets back at rule 100 after translation, this translation is >performed on all the alias addresses according to the nat config. This I think I understand, because the translation occurs before the rules= are tested. >Hope this helps, as it was something that really tripped me up until I >started to log ALL packets - which was a daunting task... Now that I see it, I think it needs to have the via clause on the rules for= the alias, since it is going through the real interface. The best thing I= can think of is to go try it and see if it works. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108071213090935.01249DF0>